Fixing LLMNR and NetBIOS-NS Spoofing

Published: 21 January 2021

In our article LLMNR and NetBIOS-NS Spoofing with Responder we stepped you through how to exploit a very common issue on Windows networks. In this one, we’re going to cover how to fix it.

LLMNR and NetBIOS-NS are both a fallback for DNS and can be used to perform interception attacks, leading to credential theft or even command execution. However, these two articles are not commonly needed on networks and can therefore be safely disabled.

Disable LLMNR

LLMNR can be disabled using Group Policy:

Open Group Policy editor: Start → Run → gpedit.msc

Navigate to DNS Client: Local Computer Policy → Computer Configuration → Administrative Templates → Network → DNS Client

Set "Turn Off Multicast Name Resolution" to Enabled.

Disable NetBIOS-NS

NetBIOS-NS can be disabled either by reconfiguring the network interface manually; or alternatively running a PowerShell command on boot. This can be achieved with Group Policy to automate it across a domain.

Open Group Policy editor: Start → Run → gpedit.msc

Navigate to Scripts (Startup/Shutdown): Local Computer Policy → Computer Configuration → Windows Settings → Scripts (Startup/Shutdown)

Save the following script into a file:

set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces\tcpip* -Name NetbiosOptions -Value 2

 

Click "PowerShell Scripts", click "Add" then click the script you saved.

That's it!

Read More