Synopsis : The remote device supports LLMNR. Description : The remote device answered to a Link-local Multicast Name Resolution (LLMNR) request. This protocol provides a name lookup service similar to NetBIOS or DNS. It is enabled by default on modern Windows versions.
Reported Risk factor by Nessus: None
In my option the severity should be much higher.
The Nessus plugin can detect the LLMNR service with an uncredentialed scan.
Nmap can also detect a running LLMNR service on a named host.
nmap --script llmnr-resolve --script-args 'llmnr-resolve.hostname=ace' Starting Nmap 7.31 ( https://nmap.org ) at 2016-12-09 11:42 CET Pre-scan script results: | llmnr-resolve: | ACE : 192.168.178.191 |_ Use the newtargets script-arg to add the results as targets WARNING: No targets were specified, so 0 hosts scanned. Nmap done: 0 IP addresses (0 hosts up) scanned in 3.42 seconds
Metasploit can also be used to run the query for a named host.
msf auxiliary(query) > show info Name: LLMNR Query Module: auxiliary/scanner/llmnr/query License: Metasploit Framework License (BSD) Rank: Normal Provided by: Jon Hart <email@example.com> Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- BATCHSIZE 256 yes The number of hosts to probe in each set CLASS IN yes The query class (name, # or CLASS#) NAME ace yes The name to query RHOSTS 126.96.36.199 yes The multicast address or CIDR range of targets to query RPORT 5355 yes The target port THREADS 10 yes The number of concurrent threads TYPE A yes The query type (name, # or TYPE#) Description: This module sends LLMNR queries, which are really just normal UDP DNS queries done (usually) over multicast on a different port, 5355. Targets other than the default RHOSTS' 188.8.131.52 should not respond but may anyway. msf auxiliary(query) > run [*] Sending LLMNR A/IN queries for ace to 184.108.40.206->220.127.116.11 port 5355 (1 hosts) [+] 192.168.178.191 responded with ACE: (A 192.168.178.191) [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
What is LLMNR?
How to get Windows to give you credentials through LLMNR?
- Responder (python)
- Inveigh (powershell)
- Metasploit modules
How to harden your windows box
Configure the flowing policy setting:
Computer Configuration -> Administrative Templates -> Network -> DNS Client
Set “Turn Off Multicast Name Resolution” to Enabled
This policy setting will set the following registry key:
This can also be done with the LGPO tool.
Create the following text file: dnsclient_lgpo.txt
Computer Software\Policies\Microsoft\Windows NT\DNSClient EnableMulticast DWORD:0
Convert LGPO textfile to create policy file
.\LGPO.exe /r .\dnsclient_lgpo.txt /w dnsclient_llmnr.pol
Import policy command
.\LGPO.exe /m .\dnsclient_llmnr.pol