Disabling NetBIOS over TCP/IP & LLMNR – The Problem
By default, NetBIOS over TCP/IP and LLMNR (Link Local Multicast Name Resolution) are enabled on all Microsoft Windows Operating systems. This presents serious security implications to your network. So much infact, that I’d say it is one of the easiest ways to get a foothold onto a network.
These protocols are methods to resolve hostnames to IP addresses. However, as this task is handled by DNS, both are rarely (if not at all) required.
These tools listen for NetBIOS over TCP/IP or LLMNR requests and respond to the requests. This tricks the requesting host (victim) into believing that these tools are the legitimate destination, so the victim sends their NTLMv1/2 password hash to authenticate, as shown below.
If these hashes are cracked, an attacker then has a legitimate username and password to gain a foothold onto your network. Moreover, this security flaw can be leveraged to perform other attacks, such as ‘SMB Relay’ as I’ve written about here.
Are You Vulnerable?
The easiest way to determine if your domain joined workstation is vulnerable is by opening up either cmd or PowerShell and type the following.
From the screenshot below, you can see that in this case it’s enabled.
To disable LLMNR within Active Directory, open Group Policy Management and create (or edit) a GPO (Group Policy Object) and navigate to the following path.
Computer Configuration\Policies\Administrative Templates\Network\DNS Client\Turn off multicast name resolution
Disabling NetBIOS over TCP/IP
NetBIOS over TCPIP can be disabled by amending dhcpmgmt.msc.
Ipv4 > Server Options > Advanced > Dropdown and select ‘MS Windows 2000 Options’ > Tickbox ‘001 MS Disable Netbios Option’ > Edit Data entry to ‘0x2’
It’s strongly recommend that you test the configuration before pushing to a live environment. Disabling NetBIOS can cause issues with systems pre-XP or Windows Server 2003. If you do have XP, Server 2003 or below then you also have other problems to worry about.