DeMISTIfying Infosec: Broadcast Name Resolution Poisoning

By Katherine Teitler

Broadcast Name Resolution Poisoning

Broadcast name resolution poisoning is an attack targeting user credentials as a means to further access corporate networks and data. To initiate the attack, a threat actor would buy a generic top-level domain (gTLD) and establish attacker-controlled entries for the web proxy auto-discover protocol (WPAD). The attacker spoofs domain name resolutions to which victim computers will then auto-connect, generally when the end user is trying to connect to the internet via an external DNS, such as at a hotel or coffee shop. The spoofed domain responds to authentication requests and can capture authentication credentials.

According to a report published in August by Praetorian, broadcast name resolution poisoning ranks among the top five attack techniques.

To mitigate the possibility of broadcast name resolution poisoning, IT administrators should populate DNS servers with entries for all known valid resources; disable LLMNR and NetBIOS; disable proxy auto-detection in Internet Explorer.

Get the DeMISTIfying InfoSec newsletter every Tuesday!


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.