{"id":4426,"date":"2020-01-17T05:01:01","date_gmt":"2020-01-17T05:01:01","guid":{"rendered":"https:\/\/pariswells.com\/blog\/?p=4426"},"modified":"2023-01-04T01:34:34","modified_gmt":"2023-01-04T01:34:34","slug":"protecting-from-llmnr-and-nbt-ns-poisoning-using-responder","status":"publish","type":"post","link":"https:\/\/pariswells.com\/blog\/research\/protecting-from-llmnr-and-nbt-ns-poisoning-using-responder","title":{"rendered":"Protecting from LLMNR and NBT-NS Poisoning Using Responder"},"content":{"rendered":"\n<p>Per information :<a href=\"https:\/\/www.4armed.com\/blog\/llmnr-nbtns-poisoning-using-responder\/\" title=\"\">https:\/\/www.4armed.com\/blog\/llmnr-nbtns-poisoning-using-responder\/<\/a>\u00a0, in a Pentest you might fail this unless you do the below<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Disabling LLMNR:\n<ul class=\"wp-block-list\">\n<li>Open the Group Policy Editor in your version of Windows<\/li>\n\n\n\n<li>Navigate to Local Computer Policy &gt; Computer Configuration &gt; Administrative Templates &gt; Network &gt; DNS Client<\/li>\n\n\n\n<li>Under DNS Client, make sure that \u201cTurn OFF Multicast Name Resolution\u201d is set to Enabled<\/li>\n\n\n\n<li>Also V important do the Registry Change Here:\u00a0<a href=\"https:\/\/f20.be\/blog\/mdns\">mDNS \u2013 The informal informer | f20<\/a><\/li>\n\n\n\n<li>Intune : <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/01\/image-2.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"448\" src=\"https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/01\/image-2-1024x448.png\" alt=\"\" class=\"wp-image-6500 img-responsive\" srcset=\"https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/01\/image-2-1024x448.png 1024w, https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/01\/image-2-300x131.png 300w, https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/01\/image-2-768x336.png 768w, https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/01\/image-2.png 1080w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Netbios over TCPIP disabled\n<ul class=\"wp-block-list\">\n<li>DHCP option \u201c001 Microsoft Disable Netbios Option\u201d configured for all scopes with value of 0x2<\/li>\n\n\n\n<li>NetbiosOptions value changed to 2 in registry for all interfaces with PS script<\/li>\n\n\n\n<li>LLMNR disabled using GPO<\/li>\n\n\n\n<li>Configured Secure only dynamic updates for all DNS zones<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>WPAD\n<ul class=\"wp-block-list\">\n<li>Microsoft suggested workaround applied, powershell script to add to host file (<a href=\"https:\/\/docs.microsoft.com\/en-us\/security-updates\/SecurityBulletins\/2016\/ms16-077\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/docs.microsoft.com\/en-us\/security-updates\/SecurityBulletins\/2016\/ms16-077<\/a>)<\/li>\n\n\n\n<li>Added option 252 on DHCP scopes and pointed WPAD to 255.255.255.255<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>REG ADD &#8220;HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad&#8221; \/v &#8220;WpadOverride&#8221; \/t REG_DWORD \/d &#8220;1&#8221; \/f<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Per information :https:\/\/www.4armed.com\/blog\/llmnr-nbtns-poisoning-using-responder\/\u00a0, in a Pentest you might fail this unless you do the below<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[1377,3133,3135,3132,3136,3137,3134],"class_list":["post-4426","post","type-post","status-publish","format-standard","hentry","category-research","tag-dns","tag-llmnr","tag-nbt-ns","tag-pentest","tag-poisoning","tag-turn-off-multicast-name-resolution","tag-wpad"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/4426","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/comments?post=4426"}],"version-history":[{"count":4,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/4426\/revisions"}],"predecessor-version":[{"id":6502,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/4426\/revisions\/6502"}],"wp:attachment":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/media?parent=4426"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/categories?post=4426"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/tags?post=4426"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}