This article covers how to disable NetBIOS and LLMNR Protocols for our customers. The broadcast protocols NetBIOS over TCP/IP and LLMNR are used in most modern networks only for compatibility with legacy Windows versions. Both protocols are susceptible to spoofing and MITM attacks.
In the Metasploit there are ready-made modules that allow you to easily exploit vulnerabilities in the broadcasting NetBIOS and LLMNR protocols to intercept user credentials in the local network (including NTLMv2 hashes).
To improve your network security, you need to disable these protocols on the domain network.
In the domain environment, LLMNR broadcasts can be disabled on computers and servers using Group Policy.
To do it:
1. Open the gpmc.msc, create a new GPO or edit an existing one that is applied to all workstations and servers;
2. Go to Computer Configuration -> Administrative Templates -> Network -> DNS Client;
3. Enable Turn off smart multi-homed name resolution policy by changing its value to Enabled;
4. Wait while the GPO settings on clients are updated, or manually update them using the command: gpupdate /force.
To manually disable NetBIOS on Windows as follows:
1. Open network connection properties
2. Select TCP/IPv4 and open its properties
3. Click Advanced, then go to WINS tab and select Disable NetBIOS over TCP
4. Save the changes.