ID06 | LLMNR, NBT-NS & mDNS

LLMNR, NBT-NS & mDNS are enabled by default and may lead to the poisoning of their requests.

References:

The Hacker Recipes (LLMNR, NBT-NS, mDNS spoofing)

Table of availables actions, states, and targets

Vulnerability ID	Trigger available	Default state	Default target
06 \| LLMNR, NBT-NS & mDNS	Yes	Present	srv02 & walter.white

Launch

Enable

# Current directory: ansible
ansible-playbook -i inventory.yml playbooks/vulnerabilities/06.yml --extra-vars "action=enable"

Disable

# Current directory: ansible
ansible-playbook -i inventory.yml playbooks/vulnerabilities/06.yml --extra-vars "action=disable"

Trigger

# Current directory: ansible
ansible-playbook -i inventory.yml playbooks/vulnerabilities/06.yml --extra-vars "action=trigger"

Tip

You may need to use this command multiple times if no poisoning is happening.

Implementation

Enable

LLMNR, NBT-NS & mDNS are enabled by default. To enable it back after disabling it, a set of firewall rules are enabled and set to Allow.

Reference:

06/enable/tasks/main.yml

Disable

A set of firewall rules are enabled and set to Block.

Reference:

06/disable/tasks/main.yml

Trigger

The walter.white user connects to srv02 and searches for an inexistent SMB share called made-by-walter-white.

This triggers an LLMNR, NBT-NS & mDNS resolution.

Reference:

06/trigger/tasks/main.yml

Customization

You can choose another target than the default one.

host_name = dc01 | srv01 | srv02
user_name = any user
share_name = whatever string you want (without space)
action = enable | disable | trigger

Example with srv01:

# Current directory: ansible
ansible-playbook -i inventory.yml playbooks/vulnerabilities/06.yml --extra-vars "action=trigger host_name=srv01 user_name=jessie.pinkman share_name=yeah-science"