Share on FacebookTweet about this on TwitterShare on LinkedInShare on RedditShare on Google+Share on TumblrPin on PinterestDigg this

Adversaries who have compromised one system in a network frequently hijack the network traffic of other systems on the same subnet to intercept passwords, infect software downloads and updates, spy on browsing or email traffic, or launch other denial-of-service or man-in-the-middle attacks. The easiest and most common ways adversaries accomplish this is by responding to NetBIOS or LLMNRbroadcast name resolution requests. NetBIOS is a legacy protocol supported in the early days of Windows while LLMNR support was added to Windows Vista and Server 2008. Windows and other operating systems send out these requests while trying to locate network resources when you open your web browser or try to visit a website or open a network share or drive. Praetorian listed this layer 4 attack as one of their top 5 most common and effective attacks over 100 penetration tests. With a little more work, attackers may also accomplish the same result by spoofing ARP requests (layer 3 attack), or with a lot more work, by spoofing entire wireless networks (layer 2 & layer 1 attacks).

NetBIOS and LLMNR resolution are rarely required, and can almost always be disabled to stop these attacks, while ARP spoofing can be detected or prevented by network devices, and malicious wireless network threats can be mitigated by the use of VPN’s.



The best solution to block layer-4 name resolution spoofing attacks is to disable NetBIOS broadcast name resolution and disable LLMNR on each system. To disable NetBIOS broadcast name resolution, run this PowerShell command with administrative rights: 

gwmi Win32_NetworkAdapterConfiguration -Filter "TcpipNetbiosOptions = 0 or TcpipNetbiosOptions = 1" | %{$_.SetTcpipNetbios(2)}

Or run this command with administrative rights:

wmic nicconfig where "TcpipNetbiosOptions=1 or TcpipNetbiosOptions=0" call SetTcpipNetbios 2


To disable LLMNR broadcast name resolution, run these PowerShell commands with administrative rights:

ni "HKLM:\Software\Policies\Microsoft\Windows\Windows NT\DNSClient" -Type Directory -Force

sp "HKLM:\Software\Policies\Microsoft\Windows\Windows NT\DNSClient" EnableMulticast 0

Or run this command with administrative rights:

reg add "HKLM\Software\Policies\Microsoft\Windows\Windows NT\DNSClient" /v EnableMulticast /t REG_DWORD /d 0 /f

Or, via Group Policy, edit your local or a domain group policy object. Expand Computer Policy -> Computer Configuration -> Administrative Templates -> Network -> DNS Client then double-click on the “Turn Off Multicast Name Resolution” setting and make sure the State is set to “Enabled”.


ARP poisoning can still be used, however it is a much more involved process. Many personal firewall and internet security software products have the ability to detect ARP poisoning on any network you are connected to, but the best way to combat ARP poisoning is by using features of your network switches and routers to block it. For example, on most managed network equipment, you should either enable Private VLANs (a.k.a. Port Isolation) or enable DHCP Snooping and Dynamic ARP Inspection. On many wireless routers, you can enable Wireless Isolation (sometimes called Client Isolation) which will block ARP poisoning (and NetBIOS/LLMNR spoofing), at least on that wireless network.


Adversaries might also use low-level wireless spoofing attacks such as the KARMA attack to achieve the same result against wireless network clients, but they are more difficult to perform in common attack scenarios. Tools to do this generally require a Linux system with special drivers and a compatible card or a Windows system with specialized hardware physically close to the target. If someone can perform the attack, it is difficult to prevent, since nearly every wireless client is configured to connect to at least one open wireless network (or a network with a known pre-shared key). Connecting to open wireless networks is not practical to prevent, since they are required to access the internet in most hotels and airports and aircraft, etc.

The best way to defend against spoofed or otherwise untrusted wireless networks is to use a VPN to tunnel your data over the untrusted wireless network, but even those can be attacked by malicious pre-VPN landing pages and cache poisoning.

For the ultimate in untrusted local network isolation, we recommend using a separate device to serve as the VPN router to handle the untrusted network connection, landing page negotiation, and encryption and authentication of the trusted tunnel.


Share on FacebookTweet about this on TwitterShare on LinkedInShare on RedditShare on Google+Share on TumblrPin on PinterestDigg this