Link-Local Multicast Name Resolution (LLMNR) Detection

 Nessus Output

Synopsis :

The remote device supports LLMNR.

Description :

The remote device answered to a Link-local Multicast Name Resolution
(LLMNR) request. This protocol provides a name lookup service similar
to NetBIOS or DNS. It is enabled by default on modern Windows
versions.

Reported Risk factor by Nessus: None
In my option the severity should be much higher.

The Nessus plugin can detect the LLMNR service with an uncredentialed scan.

NMAP

Nmap can also detect a running LLMNR service on a named host.

nmap --script llmnr-resolve --script-args 'llmnr-resolve.hostname=ace'
 
Starting Nmap 7.31 ( https://nmap.org ) at 2016-12-09 11:42 CET
Pre-scan script results:
| llmnr-resolve: 
| ACE : 192.168.178.191
|_ Use the newtargets script-arg to add the results as targets
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 3.42 seconds

Reference: https://nmap.org/nsedoc/scripts/llmnr-resolve.html

Metasploit

Metasploit can also be used to run the query for a named host.
Module: aixiliary/scanner/llmnr/query

msf auxiliary(query) > show info
 
Name: LLMNR Query
 Module: auxiliary/scanner/llmnr/query
 License: Metasploit Framework License (BSD)
 Rank: Normal
 
Provided by:
 Jon Hart <jon_hart@rapid7.com>
 
Basic options:
 Name Current Setting Required Description
 ---- --------------- -------- -----------
 BATCHSIZE 256 yes The number of hosts to probe in each set
 CLASS IN yes The query class (name, # or CLASS#)
 NAME ace yes The name to query
 RHOSTS 224.0.0.252 yes The multicast address or CIDR range of targets to query
 RPORT 5355 yes The target port
 THREADS 10 yes The number of concurrent threads
 TYPE A yes The query type (name, # or TYPE#)
 
Description:
 This module sends LLMNR queries, which are really just normal UDP 
 DNS queries done (usually) over multicast on a different port, 5355. 
 Targets other than the default RHOSTS' 224.0.0.252 should not 
 respond but may anyway.
 
msf auxiliary(query) > run
 
[*] Sending LLMNR A/IN queries for ace to 224.0.0.252->224.0.0.252 port 5355 (1 hosts)
[+] 192.168.178.191 responded with ACE: (A 192.168.178.191)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

 

 What is LLMNR?

http://technet.microsoft.com/en-us/library/bb878128.aspx

How to get Windows to give you credentials through LLMNR?

Exploit tools

  • Responder (python)
  • Inveigh (powershell)
  • Metasploit modules
    • auxiliary/spoof/llmnr/llmnr_response
    • auxiliary/spoof/nbns/nbns_response
    • auxiliary/server/capture/smb
    • auxiliary/server/capture/http_ntlm

How to harden your windows box

Configure the flowing policy setting:
Computer Configuration -> Administrative Templates -> Network -> DNS Client
Set “Turn Off Multicast Name Resolution” to Enabled

This policy setting will set the following registry key:

This can also be done with the LGPO tool.

Create the following text file: dnsclient_lgpo.txt

Computer
Software\Policies\Microsoft\Windows NT\DNSClient
EnableMulticast
DWORD:0

Convert LGPO textfile to create policy file

.\LGPO.exe /r .\dnsclient_lgpo.txt /w dnsclient_llmnr.pol

Import policy command

.\LGPO.exe /m .\dnsclient_llmnr.pol

References