discord

LLMNR/NBT-NS Poisoning and SMB Relay

LLMNR/NBT-NS Poisoning and SMB Relay [T1557.001]

Information

  • Name: LLMNR/NBT-NS Poisoning and SMB Relay

  • ID: T1557.001

  • Tactics: TA0006, TA0009

  • Technique: T1557

Introduction

Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) Poisoning, along with Server Message Block (SMB) Relay attacks, constitute sub-technique T1557.001 within the MITRE ATT&CK framework. This sub-technique involves intercepting and responding to broadcast requests for hostnames or services on a local network. Attackers exploit these protocols to redirect authentication requests, enabling credential theft or relay attacks. SMB relay specifically involves capturing authentication requests and forwarding them to a different server, allowing attackers to gain unauthorized access or elevate privileges without cracking passwords directly.

Deep Dive Into Technique

LLMNR and NBT-NS are protocols that systems use to resolve hostnames when standard DNS resolution fails. Typically, when a host cannot resolve a hostname through DNS, it broadcasts a query via LLMNR (IPv6 and IPv4) or NBT-NS (IPv4 only) on the local network. Attackers exploit this behavior by:

  • Setting up malicious listeners that respond to these broadcast queries with false information.

  • Poisoning the victim's name resolution cache, causing authentication requests to be directed to the attacker-controlled host.

SMB Relay attacks leverage the intercepted authentication requests:

  • Attackers relay captured authentication attempts (typically NTLM hashes) to other hosts or services within the network.

  • This technique allows attackers to authenticate as legitimate users without needing to crack passwords.

  • Common tools used for SMB Relay include Responder, Inveigh, and Impacket's smbrelayx.py.

Technical execution steps typically include:

  1. Setting up a listener (e.g., Responder) to intercept LLMNR/NBT-NS requests.

  2. Responding to broadcast queries with attacker-controlled IP addresses.

  3. Capturing and relaying NTLM authentication requests to target SMB servers.

  4. Gaining unauthorized access, executing commands, or escalating privileges.

When this Technique is Usually Used

Attackers typically leverage LLMNR/NBT-NS Poisoning and SMB Relay attacks during the initial access and lateral movement stages of an attack lifecycle. Common scenarios include:

  • Initial reconnaissance and credential harvesting during penetration tests or red team engagements.

  • Privilege escalation attempts to move laterally within internal networks.

  • Exploiting weak network segmentation and misconfigured authentication mechanisms.

  • Situations where DNS resolution issues frequently occur, increasing reliance on LLMNR/NBT-NS broadcasts.

  • Internal attacker scenarios where an adversary has already gained a foothold within the network and seeks to escalate privileges or pivot to higher-value targets.

How this Technique is Usually Detected

Detection methods for LLMNR/NBT-NS Poisoning and SMB Relay attacks include:

  • Monitoring network traffic for abnormal LLMNR and NBT-NS responses, especially responses originating from unusual or suspicious hosts.

  • Analyzing logs for repeated or failed authentication attempts, particularly NTLM authentication failures or suspicious SMB traffic.

  • Deploying endpoint detection and response (EDR) solutions to detect malicious processes such as Responder or Inveigh running on endpoints.

  • Utilizing Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) rules to detect unusual multicast/broadcast traffic patterns.

  • Employing Security Information and Event Management (SIEM) solutions to aggregate and correlate logs from endpoints, network devices, and servers, identifying patterns indicative of SMB relay attacks.

Specific Indicators of Compromise (IoCs):

  • Unusual or repeated multicast/broadcast responses from unknown or unauthorized IP addresses.

  • Frequent NTLM authentication failures or unusual authentication patterns.

  • Presence of tools such as Responder, Inveigh, or Impacket scripts running on endpoints.

  • SMB connections originating from unexpected or unauthorized hosts.

  • Unrecognized accounts or authentication events appearing in event logs.

Why it is Important to Detect This Technique

Early detection of LLMNR/NBT-NS Poisoning and SMB Relay attacks is critical due to their significant security impact. Potential consequences include:

  • Credential theft and unauthorized access to sensitive resources.

  • Privilege escalation, enabling attackers to gain administrative rights within the network.

  • Lateral movement, allowing attackers to pivot from compromised endpoints to critical servers or domain controllers.

  • Data exfiltration, espionage, or sabotage facilitated through unauthorized access.

  • Persistent attacker presence, leading to prolonged compromise and increased difficulty in remediation.

Early detection and mitigation help organizations:

  • Minimize the attacker's dwell time and reduce the potential damage.

  • Prevent unauthorized access to sensitive or critical assets.

  • Strengthen overall security posture by identifying and remediating weaknesses in network configuration and authentication practices.

  • Reduce the risk of compliance violations, financial losses, and reputational damage resulting from successful attacks.

Examples

Real-world examples of LLMNR/NBT-NS Poisoning and SMB Relay attacks include:

  • Responder Tool Usage:

    • Attackers commonly use Responder to intercept LLMNR/NBT-NS queries, poisoning name resolution caches and capturing NTLM hashes.

    • In penetration tests, Responder frequently demonstrates how easily credentials can be harvested from misconfigured or inadequately secured networks.

  • Impacket's smbrelayx.py:

    • Impacket's smbrelayx.py script is widely used to automate SMB Relay attacks, capturing and relaying authentication attempts to other SMB services.

    • Attackers leveraging smbrelayx.py can escalate privileges or execute commands remotely without direct password cracking.

  • Inveigh Framework:

    • Inveigh is a PowerShell-based tool that performs similar poisoning and relay attacks directly from Windows endpoints.

    • Attackers using Inveigh can remain stealthy, as the tool blends into legitimate Windows processes and activities.

  • Real-World Incident (Penetration Test Scenario):

    • During penetration testing engagements, security teams frequently demonstrate the ease of credential capture via LLMNR/NBT-NS Poisoning.

    • Captured credentials or hashes are then relayed to SMB services, allowing testers to access sensitive files, escalate privileges, or move laterally within the network.

Impact Examples:

  • Credential compromise leading to unauthorized access to corporate file shares or email accounts.

  • Privilege escalation allowing attackers to gain administrative control over domain controllers or critical infrastructure.

  • Data breaches resulting from attackers accessing sensitive information stored on compromised SMB servers or shares.

Last updated

Was this helpful?