H3-2021-0035

NBT-NS Poisoning Possible

Category	SECURITY_MISCONFIGURATION
Base Score	7.0

Description

Netbios Name Service (NBT-NS) is one of two components of Microsoft Windows machines that server as alternate methods of host identification. An attacker can spoof a reply as an authoritative source to a victim request and capture the credential information passed over the network. Credential information can be captured in hashed or plaintext format.

Impact

A captured hash credential can be cracked offline to discover the plaintext password and also be relayed for reuse on other systems. Likewise, a captured plaintext credential can be immediately used to access other systems.

References

• T1171 - LLMNR/NBT-NS Poisoning and Relay
• Local Network Vulnerabilities - LLMNR and NTB-NS Poisoning
• LLMNR and NBT-NS Mitigation