Skip to content

Disabling Netbios on Windows desktops

What are NETBIOS and LLMNR ?

Netbios and LLMNR are quite similar, LLMNR is the successor of NETBIOS and is present on all Windows version since VISTA, while NETBIOS, even if still present on the system is deprecated and disabled on Windows 10 and above

LLMNR (UDP/5355, Link-Local Multicast Name Resolution) is used in all Windows versions starting from Vista and allows IPv6 and IPv4 clients to resolve the names of neighboring computers without using the DNS server due to broadcast requests in the local L2 network segment. This protocol is automatically used if DNS is unavailable (in Windows workgroups this protocol is used for Network Discovery). So if there are DNS servers in the domain, this protocol is not needed.

NetBIOS Over TCP/IP Protocol

NetBIOS over TCP/IP or NBT-NS (UDP/137,138;TCP/139) is a broadcast protocol that is a predecessor of LLMNR and is used in the local network to publish and search for resources. By default, NetBIOS over TCP/IP support is enabled for all network interfaces in all Windows versions.

Exploitation (similar for LLMNR)

1. NetBIOS Name Service Spoofing (Cache Poisoning)

This attack relies on hijacking the NetBIOS Name Service (NBNS), which is responsible for resolving computer names within a local network. An attacker can impersonate another machine by sending false responses to NetBIOS Name Service requests, redirecting legitimate network traffic to their own machine. This allows the attacker to: - Redirect network traffic to a malicious machine. - Capture sensitive information, such as credentials or unencrypted data. - Intercept and modify communications between two machines (Man-in-the-Middle).

2. Man-in-the-Middle (MitM) Attacks

By exploiting NetBIOS hijacking or using tools like Responder or Ettercap, an attacker can position themselves between a client and a Windows server, intercepting login information or hijacking user sessions. This can also lead to the exfiltration of NTLMv1/v2 passwords if connections are not properly secured.

3. SMB (Server Message Block) Vulnerability

Although SMB is not directly related to NetBIOS, SMB often relies on NetBIOS for establishing connections in older environments. The EternalBlue vulnerability (exploited by the WannaCry ransomware), which affected SMBv1, is a classic example. Exploiting this protocol, which is often used alongside NetBIOS, can allow for remote code execution.

Last notable exploitations

NETBIOS based notable attack

CVE-2017-0174, which is a Denial of Service (DoS) vulnerability in Windows NetBIOS. This vulnerability occurs when Windows NetBIOS improperly handles NetBIOS packets, leading to a potential service disruption. It affects various versions of Windows, including Windows 7, 8.1, 10, and Windows Server editions. Exploiting this vulnerability could allow an attacker to cause a denial of service on the affected system, impacting system availabilit

LLMNR notable exploitation

A recent example of an exploited LLMNR vulnerability is through "LLMNR Poisoning," which has been frequently used in internal network attacks. Tools like Responder or Inveigh can hijack local name resolution by acting as a rogue LLMNR server, capturing NTLMv2 hashes when users mistakenly try to access non-existent resources. This kind of attack can lead to credential theft, especially when users try to access a misconfigured file share, and their machine falls back on LLMNR to resolve the hostname. An attacker can intercept the query, respond with their own IP, and capture hashed credentials for further exploitation.

There is no specific CVE for LLMNR poisoning itself, as it is more of a misconfiguration and misuse of a protocol, but it has been included in general network security assessments and penetration testing reports, such as those done using Responder or similar tools.

Mitigations

Block NetBIOS ports: The following TCP/UDP ports used by NetBIOS can be blocked on internal firewalls: - TCP/UDP port 137 (NetBIOS Name Service) - TCP/UDP port 138 (NetBIOS Datagram Service) - TCP/UDP port 139 (NetBIOS Session Service) - Use SMBv2 or SMBv3 and disable SMBv1 to enhance network security. - NTLM Authentication: Strengthen NTLM security policies by disabling NTLMv1 and using more secure protocols like Kerberos. - Disabling LLMNR in group policy - more secure DNS-based name resolution methods.

On Windows

https://woshub.com/how-to-disable-netbios-over-tcpip-and-llmnr-using-gpo/

Disable NETBIOS using a powershell startup script

$regkey = "HKLM:SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces"
Get-ChildItem $regkey |foreach { Set-ItemProperty -Path "$regkey\$($_.pschildname)" -Name NetbiosOptions -Value 2 -Verbose}

Disable LLMNR using a GPO

  • Open the gpmc.msc, create a new GPO or edit an existing one that is applied to all workstations and servers;
  • Go to Computer Configuration -> Administrative Templates -> Network -> DNS Client;
  • Enable Turn off multicast name resolution policy by changing its value to Enabled;