H3-2021-0033

mDNS Poisoning Possible

Category	SECURITY_MISCONFIGURATION
Base Score	7.0

Description

The Multicast Domain Name System (mDNS) protocol enables devices on a local network to identify other hosts on the network in a decentralized manner. An attacker can spoof a reply as an authoritative source to a victim request and capture the credential information passed over the network. Credential information may be captured in hashed or plaintext format.

Impact

A captured hash credential can be cracked offline to discover the plaintext password for reuse on other systems or the hash can be relayed and used to access other systems as well. Likewise, a captured plaintext credential can be immediately used to access other systems.

References

• T1171 - LLMNR/NBT-NS Poisoning and Relay
• mDNS in the Enterprise