LLMNR: Closing the barn door on your network

When it comes to the security of your network and unauthenticated users gaining access to your domain administrator credentials within your Active Directory domain. There are a few quick wins which you can implement to ensure that if someone is eavesdropping on your network, these changes will make their life a lot more difficult.

Background

A bit of background, if you’ve had a penetration test performed on your internal network and you are running Microsoft Active Directory, one of the first things a penetration tester will do when they come on site is start a tool called Responder. This tool can poison requests around the network thereby making computers on the network think that the attacker’s machine is a legitimate device and the device the sending computer is wanting to talk to. However, the attacker’s machine, instead will capture the credential hashes that are being sent for authentication and then re-route the request to the correct machine, thereby performing a man-in-the-middle attack.

By performing this type of attack, 99% of the time you can capture, not only basic user credentials, but also the domain administrator (or another administrator) credentials. If this is the case, its an easy win from there on in as the penetration tester (for malicious actor) can create accounts, dump domain credentials and so forth.

However, for this attack to work, it relies on some features of Windows and Active Directory, which are still around for backwards compatibility and shouldn’t cause any issues with environments today. These are LLMNR and NBT-NS.

Protecting the network

To help you protect your environment and make the penetration testers (and any attackers) life a lot harder, you can look to disable these features without any impact to your environment (as long as it doesn’t rely upon legacy systems and environments).

It goes without saying, that before you do this on a large scale, perform a test against a small sample set of machines, to ensure there is no impact to your business.

Disabling NBT-NS

First you should disable NetBIOS (NBT-NS) on all Microsoft Windows machines, this can be performed both via Group Policy as well as manually.

To disable via Group Policy, you would have to create a script to apply this change upon computer startup, we have a PowerShell script which allows you to disable it, you can find the code here:

 

Note: Please run this in a test environment first. InfoSec Governance are not held responsible for any issues with running this script.

<#

.SYNOPSIS

    Name: Disable-NetBIOS.ps1

    Desc: This script can be used to disable NetBIOS

   

.DESCRIPTION

    This PowerShell script has been made available to disable NetBIOS, which is usually done to help harden Active Directory environments.    

    This script has only been tested on later versions of Windows 10 and Windows 11.

   

.NOTES

    Author : Marcus Dempsey | InfoSec Governance Ltd | https://isgovern.com

    Created: 14/10/2021

    Updated: 14/10/2021

    Version: 1.0

#>

 

function Disable-NetBIOS {    

    $Interfaces = “HKLM:SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces”

    Get-ChildItem $Interfaces | ForEach-Object {

        Set-ItemProperty -Path $Interfaces\$($_.PSChildName) -Name NetbiosOptions -Value 2 -Verbose #Disable in the registry

       }

}

 

$RunAsAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator);

If ($RunAsAdmin -Eq $False) {

    Write-Host “Not running as administrator, please run the script with administrator level privileges.`n -ForegroundColor Red

    Break

} ElseIf ($RunAsAdmin -Eq $True) {

    Disable-NetBIOS;    

}

 

 

To disable NetBIOS manually, open the Control Panel. Go to Network and Internet > Network Connections. View the Properties of your network adapter. Choose Internet Protocol Version 4 (TCP/IPv4) and click Properties. Next, on the General Tab, click Advanced, Choose the WINS tab. Select Disable NetBIOS over TCP/IP and click OK. This disables NBT-NS.

Disabling LLMNR

This can be easily disabled within Group Policy, open the Group Policy Editor. Navigate to Local Computer Policy > Computer Configuration > Administrative Templates > Network > DNS Client. Enable Turn off Multicast Name Resolution. This disables LLMNR.