Broadcast Name Resolution Poisoning
Broadcast name resolution poisoning is an attack targeting user credentials as a means to further access corporate networks and data. To initiate the attack, a threat actor would buy a generic top-level domain (gTLD) and establish attacker-controlled entries for the web proxy auto-discover protocol (WPAD). The attacker spoofs domain name resolutions to which victim computers will then auto-connect, generally when the end user is trying to connect to the internet via an external DNS, such as at a hotel or coffee shop. The spoofed domain responds to authentication requests and can capture authentication credentials.
According to a report published in August by Praetorian, broadcast name resolution poisoning ranks among the top five attack techniques.
To mitigate the possibility of broadcast name resolution poisoning, IT administrators should populate DNS servers with entries for all known valid resources; disable LLMNR and NetBIOS; disable proxy auto-detection in Internet Explorer.
Get the DeMISTIfying InfoSec newsletter every Tuesday!
