June 3, 2020

Turn off LLMNR on Windows now!

What is LLMNR?

Link Local Multicast Name Resolution or affectionately known by attackers as LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled.

LLMNR does not require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution is not possible.

LLMNR queries are sent to and received on port 5355. The IPv4 link-
scope multicast address a given responder listens to, and to which a
sender sends queries, is

Whats Wrong LLMNR?

In short, anyone on the layer 2 network can answer your query for where the resources are on your subnet, including the attacker. For example, your machine sends the multicast packet out asking who is the server where the Z:\ is mapped. The attacker answers first, and says that he is where you need to go. Your machine blindly gives up your credential hash to the attacker in order for you to use the resource. Now the attacker has you credential hash. All he needs to do is crack the hash

Turn it off, you don’t need it!

You will want to do this with a Group Policy (GPO). Go to a run prompt and type “mmc” to pull up the management console.

Once the MMC is open, Click File then “Add/Remove Snap-in…

Add the Group Policy Object Editor snap-in (in this example I will add it to the Local Computer)

Walk the tree from Local Computer Policy > Administrative Templates > Network > DNS Client

The Setting that you are looking for is “Turn off multicast name resolution”

By default it is Not configured, in order to disable LLMNR this setting must be enabled

If you enable this policy setting, LLMNR will be disabled on all available network adapters on the client computer.

If you disable this policy setting, or you do not configure this policy setting, LLMNR will be enabled on all available network adapters.