Credential compromise possible via old Windows protocols

Organizations leveraging legacy Windows communication protocols Link-Local Multicast Name Resolution and NetBIOS Name Service could have their credentials pilfered without the exploitation of software flaws, according to Infosecurity Magazine.

Attackers within the same local network segment as the targeted devices could leverage Responder and other tools to capture LLMNR and NBT-NS broadcasts and eventually compromise usernames, domain information, and encrypted password hashes, a Resecurity report showed.

Such pilfered data could then be harnessed in subsequent relay intrusions, which could result in sweeping database access, privilege escalation, and total environment compromise. Mitigating such a threat necessitates the immediate deactivation of LLMNR and NBT-NS via Group Policy, the blocking of UDP port 5355, and the implementation of SMB signing.

Organizations have also been urged to curb NTLM authentication and guarantee accurate DNS configurations.

"Combined with network monitoring and credential-hardening practices, these measures significantly reduce the risk of credential theft through broadcast poisoning attacks," said Resecurity.