LLMNR Disabled

ID: llmnr-disabled

Severity: medium

Author: princechaddha

Tags: windows,llmnr,network,security,code,windows-audit

Description

Determine if LLMNR (Link-Local Multicast Name Resolution) is disabled.

YAML Source

id: llmnr-disabled

info:
  name: LLMNR Disabled
  author: princechaddha
  severity: medium
  description: Determine if LLMNR (Link-Local Multicast Name Resolution) is disabled.
  impact: |
    Enabling LLMNR can expose systems to man-in-the-middle attacks.
  remediation: |
    Disable LLMNR to reduce the risk of such attacks.
  tags: windows,llmnr,network,security,code,windows-audit

self-contained: true

code:
  - pre-condition: |
      IsWindows();
    engine:
      - powershell
      - powershell.exe
    args:
      - -ExecutionPolicy
      - Bypass
    pattern: "*.ps1"
    source: |
      $lmnrStatus = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient' -Name 'EnableMulticast' -ErrorAction SilentlyContinue
      if ($lmnrStatus -and $lmnrStatus.EnableMulticast -eq 0) {"LLMNR is correctly disabled"} else {"LLMNR is misconfigured or enabled by default"}

    matchers:
      - type: word
        words:
          - "LLMNR is misconfigured or enabled by default"
# digest: 490a0046304402202ef330735a22c55ccf4a6a665d19eec479ffb9ba71949aa3959b90b2ca76927e022049cd69fd3ac665460a3ae89c65979f9a4008bdbe4b8e791985ef6164f8cae195:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "code/windows/audit/llmnr-disabled.yaml"

View on Github