Does InsightVM have the ability to perform LLMNR / NBT-NS detection?
We have identified a few customers having issues with https://attack.mitre.org/techniques/T1557/001/ and utilizing LLMNR / NBT-NS in particular to obtain NTLMv2 hashes in a pentest, though the standard Insight Agent and Network Scan (Exhaustive-template) didn’t mark those as potential issues.
In the exhaustive scan-template with the default well-known ports, looking at the “<installation_directory>/plugins/java/1/NetworkScanners/1/default-services.properties” file I see port 137 listed, but not 5355 - but adding that does not seem to catch it either.
Or is it because the scan template is not wide enough? Would the “Penetration test” be a better fit here to try catch those?
Have any of you worked with this in relation to InsightVM scans before?
Hi dranderis, just curious if you were you able to identify devices with LLMNR ports after adding the port 5355 in the “default-services-properties” and expanding your scope?
This would be a Custom Check and more than likely not something implemented, if you are a IDR customer its something that can be created and VQL Velociraptor Query to the Agent could check for.
I dont see many Powershell specific Checks or any for that matter last time i looked at all the Checks…
I dont see how or why it wouldnt be an easy enough check to create since all you are looking for is a value in the REG KEYS…
Check the registry key HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient for the EnableMulticast setting:
• If 0, LLMNR is disabled.
• If not present or 1, LLMNR is enabled ( VULNERABLE )
Check the registry keys under HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces for the NetbiosOptions value:
• 0: Enabled for all traffic.
• 1: Disabled.
• 2: Enabled via DHCP settings