LLMNR/NBT-NS Poisoning and Relay Attacks

Hi All,

Any script that can log LLMNR/NBT-NS Poisoning and Relay Attacks ?

Thanks in advanced.

Kind Regards,
Alex Kefallonitis

I guess using the suggestion on corelight site could help built a script based on the port used in llmnr

Attackers with the ability to poison or intercept DNS queries can strengthen their foothold into a targeted network by inserting or overwriting records for sensitive hosts. For example, if an attacker can generate a response for “wpad,” they can redirect users’ web traffic through a man-in-the-middle of their choosing. LLMNR may be disabled in an enterprise network, in which case any LLMNR (UDP 5355) traffic would be immediately actionable based on events within Zeek’s conn.log file.

Kind regards,

Alex Kefallonitis

Στις Δευ, 10 Φεβ 2020 στις 6:17 μ.μ., ο/η Alex Kefallonitis <al.kefallonitis@gmail.com> έγραψε: