漏洞描述
Determine if LLMNR (Link-Local Multicast Name Resolution) is disabled.
llmnr-disabled: LLMNR Disabled
PoC代码[已公开]
id: llmnr-disabled
info:
name: LLMNR Disabled
author: princechaddha
severity: medium
description: Determine if LLMNR (Link-Local Multicast Name Resolution) is disabled.
impact: |
Enabling LLMNR can expose systems to man-in-the-middle attacks.
remediation: |
Disable LLMNR to reduce the risk of such attacks.
tags: windows,llmnr,network,security,code,windows-audit
self-contained: true
code:
- pre-condition: |
IsWindows();
engine:
- powershell
- powershell.exe
args:
- -ExecutionPolicy
- Bypass
pattern: "*.ps1"
source: |
$lmnrStatus = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient' -Name 'EnableMulticast' -ErrorAction SilentlyContinue
if ($lmnrStatus -and $lmnrStatus.EnableMulticast -eq 0) {"LLMNR is correctly disabled"} else {"LLMNR is misconfigured or enabled by default"}
matchers:
- type: word
words:
- "LLMNR is misconfigured or enabled by default"
# digest: 490a0046304402202ef330735a22c55ccf4a6a665d19eec479ffb9ba71949aa3959b90b2ca76927e022049cd69fd3ac665460a3ae89c65979f9a4008bdbe4b8e791985ef6164f8cae195:922c64590222798bb761d5b6d8e72950