Across the internal penetration tests we conduct, we find the same misconfigurations again and again. They aren’t exotic zero-days or advanced tradecraft, either; we’re finding legacy protocols, insecure features left enabled long after their original purposes have passed, and more.
Today, we’re looking at five findings Deer Brook’s technical services team encounters most frequently during internal Active Directory assessments: LLMNR, NetBIOS Name Service, mDNS, WPAD, and SMB signing not required.
Individually, these issues might appear low-risk. But in practice, they are routinely chained together to achieve credential theft and domain compromise.
LLMNR and NetBIOS Name Service
LLMNR and NetBIOS are legacy name resolution mechanisms that kick in when DNS fails. Instead of querying a trusted DNS server, systems instead broadcast requests to the local network asking “who is X?,” to which any system on that network can respond.
An attacker listens for those broadcasts and answers as the requested host. When the victim system attempts to authenticate to the attacker-controlled host, NTLM authentication is sent automatically and often without any user interaction. Even a single mistyped hostname or unavailable DNS record is enough. This enabled hash capture, NTLM relay attacks, and lateral movement.
Detection Signals
- Group Policy settings allowing LLMNR
- NetBIOS enabled on network interfaces
- Network traffic showing UDP 5355 or UDP 137 broadcasts
- Tools like Responder or Inveigh successfully receiving requests during testing
Remediation
- Disable LLMNR via Group Policy
- Disable NetBIOS over TCP/IP where not explicitly required
- Ensure DNS is reliable and correctly configured
- Monitor for unexpected name resolution broadcasts
Multicast DNS (mDNS)
Multicast DNS (mDNS) is used for service discovery on local networks, particularly in mixed or managed environments. It allows systems to find services without a central DNS server, which also means it exposes hostnames and service information to anyone on the local network.
mDNS is less commonly abused than LLMNR or NetBIOS, but it still assists with host discovery and targeting. In tightly controlled enterprise environments, it is rarely necessary and is often overlooked.
Detection Signals
- UDP 5353 multicast traffic
- mDNS enabled on endpoints and servers
- Apple or IoT services bleeding into enterprise segments
Remediation
- Disable mDNS where it is not required
- Restrict multicast traffic between network segments
- Separate user, server, and device networks
WPAD
WPAD allows systems to automatically discover proxy configuration files. When enabled, clients attempt to locate a file named wpad.dat using DNS, DHCP, or name resolution fallback methods.
If WPAD is enabled and improperly configured, an attacker can impersonate the WPAD host and serve a malicious proxy configuration. This allows them to intercept web traffic and capture NTLM authentication in the process. This is a consistent source of credential capture during internal testing.
Detection Signals
- WPAD enabled in browser or system settings
- DNS records or DHCP options referencing WPAD
- NTLM authentication attempts to unexpected proxy hosts
Remediation
- Disable WPAD if not explicitly required
- Create a DNS record for WPAD pointing to a non-routable address
- Enforce proxy configuration via Group Policy instead of auto-discovery
- Block NTLM authentication to proxy services
SMB Signing Not Required
SMB signing ensures the integrity of SMB traffic by preventing tampering and relay attacks. When it’s not required, authentication attempts can be intercepted and forwarded to other systems, all without ever needing to crack a password.
Combined with NTLM authentication capture, lack of SMB signing is one of the most reliable paths from initial access to privileged access in Windows environments.
Detection Signals
- SMB signing set to “not required” on servers or workstations
- Domain controllers enforcing signing while member servers do not
- Successful NTLM relay during testing
Remediation
- Require SMB signing on all systems where feasible
- Enforce SMB signing via Group Policy
- Reduce NTLM usage in favor of Kerberos
- Monitor for NTLM authentication where Kerberos should be used
Fix These First
None of the issues covered here are new, and that’s exactly why they matter.
Organizations often focus on advanced threats while leaving these foundational weaknesses unaddressed. Attackers don’t need to be advanced when the environment is opening the door for them.
Disabling legacy protocols, enforcing SMB signing, and hardening authentication pathways removes some of the most reliable tools attackers depend on for initial access and privilege escalation.
If you fix nothing else, fix these first.
About Deer Brook Technical Services
Deer Brook’s technical services team conducts internal and external penetration tests for organizations across regulated industries.
If you’d like to better understand your exposure to these and other common attack paths, you can learn more here and contact us to schedule a consultation.
