NetBios Name Service (NBT-NS) and Link-Local Multicast Name Resolution (LLMNR) spoofing is generally refers to the Hacker Tool Responder being utilized. This allows for attackers who are within the broadcast of the network to poison in-broadcast NetBIOS Name Service and Link-Local Multicast Name Resolution lookups.
Due to the nature of Windows authentication, these lookups can be poisoned to force machines to send their NetNTLMv2 password hashes for authentication purposes. Keep in mind a strong password policy, 12-14 characters and above, will make this effort much more difficult as NetNTLMv2 hashes are quite difficult to crack due to how slow it is.
Additionally, the same tool can be used to relay SMB connections if they are not being signed per GPO policy.
Get your free account with Blumira and secure your Microsoft 365 environment in minutes. No credit card required.
NOTE: All below settings should be completely tested in specific environments prior to changing. Many legacy products unfortunately rely on these outdated methods of name resolution, performing these actions can be damaging to your environment. If you have a healthy DNS infrastructure and you are sure that lookups go through your DNS and not through local lookup, you should be generally OK.
You can’t disable netbios directly within group policy, but there are a few different ways that you can..
Note: After forest functional level 2008, this is set to enabled by default
Have questions or want to learn more about Blumira? We’re happy to help.