LLMNR/NBT-NS/mDNS Poisoning
Inside an internal windows network, when a DNS request fails or a DNS server is not available, LLMNR and NBT-NS may be used to send a local query to machines within the subnet.
- π² LLMNR uses UDP port 5355
- π² NBT-NS uses UDP port 137
- β οΈ NBT-NS may be used in older Windows-based networks
- β οΈ NBT-NS may be used when LLMNR fails to find a host
- β οΈ mDNS may be used when both LLMNR and NBT-NS failed
Both protocols are vulnerable to multiple attacks such as spoofing.
LLMNR/NBT-NS Poisoning Remediation π‘οΈ
The best remediation is to disable both protocols, but in some environments, it may not be possible without impacting existing tools.
We can try to send fake LLMNR or NBT-NS requests, and if an host respond, then it's most malicious and we need to investigate.
We must ensure that both stay disabled, such as by monitoring HKLM\Software\Policies\Microsoft\Windows NT\DNSClient.
We can try to implement Network Access Control (NAC).