Outdated Protocols

Link Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBNS) are backup name resolutions that are used when queries to DNS fail. Servers and workstations that utilize these protocols will send out name resolution requests on the network with the hopes that one of their piers will answer.

Unfortunately, one of the most common types of attacks and an easy way for a malicious attacker to gain a foothold in your network, is to implement a LLMNR or NBNS poisoning attack. By listening for these requests, a bad actor can respond with a hostname that will resolve to a malicious system. Once the victim's system responds and connects to the 'malicious' system bad things can happen, depending on the types of services the 'malicious' system has installed. The malicious actor can then capture login credentials, obtain the hashed value, and crack passcodes. In other words, this is an easy way to gain unauthorized entry into a network.

Disable These Protocols

First, is to disable the LLMNR protocol and this can be done through group policy. Go to Computer Configuration > Administrative Templates > Network > DNS Client & enable 'Turn Off Multicast Name Resolution' by changing its value to 'Enabled'.





Second is to disable NetBIOS over TCP. This can be done in several ways. First if you have a few computers, then you can just go to the adapter and disable it. To do this, open network connection properties, then select TCP/IvP4, click on Advanced then g to WINS. Once there select 'Disable NetBIOS over TCP'.





Alternatively, if you have a large number of systems and hitting them by hand is out of the question, you can use PowerShell and I have created a script that will do this for you:

# This script will take a list of systems

# and turn off Netbios from all the adapters

#

#

# The list #

$computers = Get-Content -Path C:\temp\servers.txt

#

#

#

# Changing the adapters setting #

$adapters = ( gwmi win32_networkadapterconfiguration -cn $computers -EA Silently Continue )

Foreach ( $adapter in $adapters ){

Write-Host $adapter

$adapter . settcpipnetbios( 2 )

}





Make sure your 'servers.txt' file has a list of systems names inside:







