LLMNR and NBT-NS detection

dranderis · June 27, 2023, 4:00pm

Hi,

Does InsightVM have the ability to perform LLMNR / NBT-NS detection?

We have identified a few customers having issues with https://attack.mitre.org/techniques/T1557/001/ and utilizing LLMNR / NBT-NS in particular to obtain NTLMv2 hashes in a pentest, though the standard Insight Agent and Network Scan (Exhaustive-template) didn’t mark those as potential issues.

I see that tenable might have something for this:
https://www.tenable.com/plugins/nessus/53513
https://www.tenable.com/plugins/nessus/54629

In the exhaustive scan-template with the default well-known ports, looking at the “<installation_directory>/plugins/java/1/NetworkScanners/1/default-services.properties” file I see port 137 listed, but not 5355 - but adding that does not seem to catch it either.
Or is it because the scan template is not wide enough? Would the “Penetration test” be a better fit here to try catch those?

Have any of you worked with this in relation to InsightVM scans before?

tjustus · December 20, 2023, 4:23pm

I’d like to know that, too!

Please give us some information on this.

Thanks!

adelima1 · January 15, 2024, 7:25pm

Hi dranderis, just curious if you were you able to identify devices with LLMNR ports after adding the port 5355 in the “default-services-properties” and expanding your scope?

gfargo · April 4, 2024, 2:04pm

Has anybody found a definitive answer on this?

dranderis · April 5, 2024, 11:07am

No, we haven’t found any solution on thi matter yet.

pj-tfcu · January 3, 2025, 5:56pm

Any update on Rapid7 InsightVM having the ability to check for LLMNR (Link-Local Multicast Name Resolution) / NBT-NS (NetBios Name Service)?

bradpjaxx · January 9, 2025, 8:05pm

This would be a Custom Check and more than likely not something implemented, if you are a IDR customer its something that can be created and VQL Velociraptor Query to the Agent could check for.

I dont see many Powershell specific Checks or any for that matter last time i looked at all the Checks…

I dont see how or why it wouldnt be an easy enough check to create since all you are looking for is a value in the REG KEYS…

Check the registry key HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient for the EnableMulticast setting:
• If 0, LLMNR is disabled.
• If not present or 1, LLMNR is enabled ( VULNERABLE )

Check the registry keys under HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces for the NetbiosOptions value:
• 0: Enabled for all traffic.
• 1: Disabled.
• 2: Enabled via DHCP settings

jblanchard · April 28, 2025, 11:22pm

I literally just discovered this today. But in addition to the recommendation by bradpjaxx, you will need to check this registry key as well for MDNS which is also vulnerable to poisoning..

Check the registry key HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient for the value “EnableMDNS”:
• If 0, MDNS is disabled.
• If not present or 1, MDNS is enabled ( VULNERABLE )

If the value “enableMDNS” is missing, create it (REG_DWORD) and set it’s value to “0”.