LLMNR and NBT-NS detection

dranderis · June 27, 2023, 4:00pm

Hi,

Does InsightVM have the ability to perform LLMNR / NBT-NS detection?

We have identified a few customers having issues with https://attack.mitre.org/techniques/T1557/001/ and utilizing LLMNR / NBT-NS in particular to obtain NTLMv2 hashes in a pentest, though the standard Insight Agent and Network Scan (Exhaustive-template) didn’t mark those as potential issues.

I see that tenable might have something for this:
https://www.tenable.com/plugins/nessus/53513
https://www.tenable.com/plugins/nessus/54629

In the exhaustive scan-template with the default well-known ports, looking at the “<installation_directory>/plugins/java/1/NetworkScanners/1/default-services.properties” file I see port 137 listed, but not 5355 - but adding that does not seem to catch it either.
Or is it because the scan template is not wide enough? Would the “Penetration test” be a better fit here to try catch those?

Have any of you worked with this in relation to InsightVM scans before?

tjustus · December 20, 2023, 4:23pm

I’d like to know that, too!

Please give us some information on this.

Thanks!

adelima1 · January 15, 2024, 7:25pm

Hi dranderis, just curious if you were you able to identify devices with LLMNR ports after adding the port 5355 in the “default-services-properties” and expanding your scope?

gfargo · April 4, 2024, 2:04pm

Has anybody found a definitive answer on this?

dranderis · April 5, 2024, 11:07am

No, we haven’t found any solution on thi matter yet.