[Zeek] LLMNR/NBT-NS Poisoning and Relay Attacks

Alex Kefallonitis al.kefallonitis at gmail.com
Tue Feb 18 23:05:35 PST 2020


I guess using the suggestion on corelight site could help built a script
based on the port used in llmnr



*Attackers with the ability to poison or intercept DNS queries can
strengthen their foothold into a targeted network by inserting or
overwriting records for sensitive hosts. For example, if an attacker can
generate a response for "wpad," they can redirect users' web traffic
through a man-in-the-middle of their choosing. LLMNR may be disabled in an
enterprise network, in which case any LLMNR (UDP 5355) traffic would be
immediately actionable based on events within Zeek's conn.log file.*


Kind regards,

Alex Kefallonitis


Στις Δευ, 10 Φεβ 2020 στις 6:17 μ.μ., ο/η Alex Kefallonitis <
al.kefallonitis at gmail.com> έγραψε:

> Hi All,
>
>  Any script that can log LLMNR/NBT-NS Poisoning and Relay Attacks ?
>
> Thanks in advanced.
>
> Kind Regards,
> Alex Kefallonitis
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200219/3f70f27c/attachment-0001.html 


More information about the Zeek mailing list