LLMNR and NBT-NS detection

Hi,

Does InsightVM have the ability to perform LLMNR / NBT-NS detection?

We have identified a few customers having issues with https://attack.mitre.org/techniques/T1557/001/ and utilizing LLMNR / NBT-NS in particular to obtain NTLMv2 hashes in a pentest, though the standard Insight Agent and Network Scan (Exhaustive-template) didn’t mark those as potential issues.

I see that tenable might have something for this:
https://www.tenable.com/plugins/nessus/53513
https://www.tenable.com/plugins/nessus/54629

In the exhaustive scan-template with the default well-known ports, looking at the “<installation_directory>/plugins/java/1/NetworkScanners/1/default-services.properties” file I see port 137 listed, but not 5355 - but adding that does not seem to catch it either.
Or is it because the scan template is not wide enough? Would the “Penetration test” be a better fit here to try catch those?

Have any of you worked with this in relation to InsightVM scans before?

1 Like

I’d like to know that, too!

Please give us some information on this.

Thanks!

Hi dranderis, just curious if you were you able to identify devices with LLMNR ports after adding the port 5355 in the “default-services-properties” and expanding your scope?

1 Like