[Zeek] LLMNR/NBT-NS Poisoning and Relay Attacks
Alex Kefallonitis
al.kefallonitis at gmail.com
Tue Feb 18 23:05:35 PST 2020
I guess using the suggestion on corelight site could help built a script
based on the port used in llmnr
*Attackers with the ability to poison or intercept DNS queries can
strengthen their foothold into a targeted network by inserting or
overwriting records for sensitive hosts. For example, if an attacker can
generate a response for "wpad," they can redirect users' web traffic
through a man-in-the-middle of their choosing. LLMNR may be disabled in an
enterprise network, in which case any LLMNR (UDP 5355) traffic would be
immediately actionable based on events within Zeek's conn.log file.*
Kind regards,
Alex Kefallonitis
Στις Δευ, 10 Φεβ 2020 στις 6:17 μ.μ., ο/η Alex Kefallonitis <
al.kefallonitis at gmail.com> έγραψε:
> Hi All,
>
> Any script that can log LLMNR/NBT-NS Poisoning and Relay Attacks ?
>
> Thanks in advanced.
>
> Kind Regards,
> Alex Kefallonitis
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200219/3f70f27c/attachment-0001.html
More information about the Zeek
mailing list