Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
(OT) Disabling LLMNR (Link-Local Multicast Name Resolution)
44 views
Skip to first unread message
John C.
Jul 5, 2021, 1:42:06 AM7/5/21
to
I know there is a more appropriate newsgroup for this post, but there
are people in this one whose opinions I respect.
_________________________________________________________________________
How To Disable LLMNR (Link-Local Multicast Name Resolution) & Why You
Want To
From
https://www.blackhillsinfosec.com/how-to-disable-llmnr-why-you-want-to/)
Link-Local Multicast Name Resolution (LLMNR) was (is) a protocol used
that allowed name resolution without the requirement of a DNS server. It
was (is) able to provide a hostname-to-IP based off a multicast packet
sent across the network asking all listening Network-Interfaces to reply
if they are authoritatively known as the hostname in the query. It does
this by sending a network packet to port UDP 5355 to the multicast
network address (all layer 2).
What if you configure a node on the network to authoritatively say that
it is, no matter what the query, exactly who the query is looking for.
Let’s call this evil node “I’mEveryoneNotReally.” This creates a
race-condition for the client. The client who is requesting the
information will accept (and wholly trust) whoever answers first as the
authoritative answer, because, based on the protocol specifications, the
only responses it should receive are authoritative (and trustworthy.)
Windows (other operating systems too!) will use LLMNR in certain
circumstances to identify certain machines on the network, such as
file-servers. If Windows attempts to use LLMNR to identify the server of
a file-share and it receives a reply, it will send the current user’s
credentials directly to that server assuming it wouldn’t have replied if
it wasn’t the authoritative file-server. If that LLMNR received response
was actually an impersonator (I’mEveryoneNotReally), Windows just
disclosed that user’s credential hash to a third-party. What’s worse?
The impersonator may forward that packet to the actual file-server, so
the user never realizes anything is amiss.
LLMNR was useful back in the day when DNS servers required costly
processing power and system admins didn’t want them in every subnet
(still don’t!) AdHoc networks can benefit greatly from them as well, but
AdHoc networks are pretty uncommon these days. It made sense for quick
resolution of names that were on the same subnet. Problem is hackers
realized the protocol didn’t have effective protections to prevent
unauthorized nodes from authoritatively claiming they were anyone
(everyone.) That said, in almost all cases LLMNR is no longer needed
because proper DNS is configured. Disabling LLMNR closes a very serious
risk vector.
Disable LLMNR with Active Directory Group Policy Editor:
Active Directory has a GPO you can configure to prevent its domain
workstations from using LLMNR.
Create a New or Update an existing Group Policy and Edit accordingly:
Computer Configuration -> Administrative Templates -> Network -> DNS
ClientEnable Turn Off Multicast Name Resolution policy by changing its
value to Enabled
See screenshots below, essentially this operation is the same as using
the Local Security Policy editor, with exception of making the
modification on a Group Policy.
Disable LLMNR with Local Group Policy (Windows 7,8,10 Pro)
Use Local Group Policy editor by running gpedit.msc and modifying the
policy.
Computer Configuration -> Administrative Templates -> Network -> DNS
ClientEnable
Turn Off Multicast Name Resolution policy by changing its value to Enabled
Disable LLMNR with Command Line (Single Workstation, Windows 7,8,10 Home)
Run these guys from command line:
REG ADD “HKLM\Software\policies\Microsoft\Windows NT\DNSClient”
REG ADD “HKLM\Software\policies\Microsoft\Windows NT\DNSClient” /v ”
EnableMulticast” /t REG_DWORD /d “0” /f
Reboot.
________________________________________________________________________
Seems like a good idea to me, but can anybody think of any reasons why
this shouldn't be done?
TIA.
--
John C. BS206. No ad, CD, commercial, cripple, demo, nag, pirated,
share, spy, time-limited, trial or web wares for me please. I filter out
posts made from Google Groups and cross-posted (sent to more than one
newsgroup at a time) messages. I recommend you do likewise.
are people in this one whose opinions I respect.
_________________________________________________________________________
How To Disable LLMNR (Link-Local Multicast Name Resolution) & Why You
Want To
From
https://www.blackhillsinfosec.com/how-to-disable-llmnr-why-you-want-to/)
Link-Local Multicast Name Resolution (LLMNR) was (is) a protocol used
that allowed name resolution without the requirement of a DNS server. It
was (is) able to provide a hostname-to-IP based off a multicast packet
sent across the network asking all listening Network-Interfaces to reply
if they are authoritatively known as the hostname in the query. It does
this by sending a network packet to port UDP 5355 to the multicast
network address (all layer 2).
What if you configure a node on the network to authoritatively say that
it is, no matter what the query, exactly who the query is looking for.
Let’s call this evil node “I’mEveryoneNotReally.” This creates a
race-condition for the client. The client who is requesting the
information will accept (and wholly trust) whoever answers first as the
authoritative answer, because, based on the protocol specifications, the
only responses it should receive are authoritative (and trustworthy.)
Windows (other operating systems too!) will use LLMNR in certain
circumstances to identify certain machines on the network, such as
file-servers. If Windows attempts to use LLMNR to identify the server of
a file-share and it receives a reply, it will send the current user’s
credentials directly to that server assuming it wouldn’t have replied if
it wasn’t the authoritative file-server. If that LLMNR received response
was actually an impersonator (I’mEveryoneNotReally), Windows just
disclosed that user’s credential hash to a third-party. What’s worse?
The impersonator may forward that packet to the actual file-server, so
the user never realizes anything is amiss.
LLMNR was useful back in the day when DNS servers required costly
processing power and system admins didn’t want them in every subnet
(still don’t!) AdHoc networks can benefit greatly from them as well, but
AdHoc networks are pretty uncommon these days. It made sense for quick
resolution of names that were on the same subnet. Problem is hackers
realized the protocol didn’t have effective protections to prevent
unauthorized nodes from authoritatively claiming they were anyone
(everyone.) That said, in almost all cases LLMNR is no longer needed
because proper DNS is configured. Disabling LLMNR closes a very serious
risk vector.
Disable LLMNR with Active Directory Group Policy Editor:
Active Directory has a GPO you can configure to prevent its domain
workstations from using LLMNR.
Create a New or Update an existing Group Policy and Edit accordingly:
Computer Configuration -> Administrative Templates -> Network -> DNS
ClientEnable Turn Off Multicast Name Resolution policy by changing its
value to Enabled
See screenshots below, essentially this operation is the same as using
the Local Security Policy editor, with exception of making the
modification on a Group Policy.
Disable LLMNR with Local Group Policy (Windows 7,8,10 Pro)
Use Local Group Policy editor by running gpedit.msc and modifying the
policy.
Computer Configuration -> Administrative Templates -> Network -> DNS
ClientEnable
Turn Off Multicast Name Resolution policy by changing its value to Enabled
Disable LLMNR with Command Line (Single Workstation, Windows 7,8,10 Home)
Run these guys from command line:
REG ADD “HKLM\Software\policies\Microsoft\Windows NT\DNSClient”
REG ADD “HKLM\Software\policies\Microsoft\Windows NT\DNSClient” /v ”
EnableMulticast” /t REG_DWORD /d “0” /f
Reboot.
________________________________________________________________________
Seems like a good idea to me, but can anybody think of any reasons why
this shouldn't be done?
TIA.
--
John C. BS206. No ad, CD, commercial, cripple, demo, nag, pirated,
share, spy, time-limited, trial or web wares for me please. I filter out
posts made from Google Groups and cross-posted (sent to more than one
newsgroup at a time) messages. I recommend you do likewise.
p-0''0-h the cat (coder)
Jul 6, 2021, 7:29:22 PM7/6/21
to
on a bit of spare hardware past it's security, and use this as the basis
of a MITM attack on a file server. How many other hosts do you have on
your network? Just the router I guess. So er they would already be on
that. The remote code execution vulnerability was patched in 2012.
Besides, there are so many other factors on a modern Windows network
that are going to make this very difficult indeed. I won't be wasting my
time worrying about this one. Obviously, if Dusty gets on your network
you're fucked. Well you might be if you disabled about a dozen default
protections as I pointed out before when he declared iRok could still
bring down Windows 10. Larf.
Live everyday like you're a cat.
Sent from my iFurryUnderbelly.
--
p-0.0-h the cat
Internet Terrorist, Mass sock puppeteer, Agent provocateur, Gutter rat,
Devil incarnate, Linux user#666, BaStarD hacker, Resident evil, Monkey Boy,
Certifiable criminal, Spineless cowardly scum, textbook Psychopath,
the SCOURGE, l33t p00h d3 tr0ll, p00h == lam3r, p00h == tr0ll, troll infâme,
the OVERCAT [The BEARPAIR are dead, and we are its murderers], lowlife troll,
shyster [pending approval by STATE_TERROR], cripple, sociopath, kook,
smug prick, smartarse, arsehole, moron, idiot, imbecile, snittish scumbag,
liar, total ******* retard, shill, pooh-seur, Pooh Dendum, scouringerer,
jumped up chav, punk ass dole whore troll, no nothing innumerate religious
maniac, lycanthropic schizotypal lesbian, professional bully and stalker,
the most complete ignoid, joker, and furball.
NewsGroups Numbrer One Terrorist
Honorary SHYSTER and FRAUD awarded for services to Haberdashery.
By Appointment to God Frank-Lin.
Signature integrity check
md5 Checksum: be0b2a8c486d83ce7db9a459b26c4896
I mark any messages from trolls »Q« and 'Arlene' Holder as stinky
Shadow
Jul 6, 2021, 8:51:11 PM7/6/21
to
>I know there is a more appropriate newsgroup for this post, but there
>are people in this one whose opinions I respect.
>_________________________________________________________________________
>
>How To Disable LLMNR (Link-Local Multicast Name Resolution) & Why You
>Want To
I've had it blocked for yonkers. Can't even remember when I
>are people in this one whose opinions I respect.
>_________________________________________________________________________
>
>How To Disable LLMNR (Link-Local Multicast Name Resolution) & Why You
>Want To
blocked port 5355 UDP/TCP, but it's one of the first rules in my
firewall, along with 135-139,445 and 593.
https://www.grc.com/port_5355.htm
Weird, unknown port?
It's even got a Wiki page...
https://en.wikipedia.org/wiki/LLMNR
[]'s
We have a new policy - Google 2012
0 new messages