{"id":3230,"date":"2025-10-14T18:53:15","date_gmt":"2025-10-14T18:53:15","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2025\/10\/14\/legacy-windows-protocols-still-expose-networks-to-credential-theft\/"},"modified":"2025-10-14T18:53:15","modified_gmt":"2025-10-14T18:53:15","slug":"legacy-windows-protocols-still-expose-networks-to-credential-theft","status":"publish","type":"post","link":"https:\/\/ft365.org\/index.php\/2025\/10\/14\/legacy-windows-protocols-still-expose-networks-to-credential-theft\/","title":{"rendered":"Legacy Windows Protocols Still Expose Networks to Credential Theft"},"content":{"rendered":"<div id=\"cphContent_pnlArticleBody\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"0\">\n<p>A new cybersecurity study has found that legacy Windows communication protocols continue to expose organizations to credential theft, even without exploiting software vulnerabilities.<\/p>\n<p>The research, published today by Resecurity, warned that attackers can capture login data simply by being on the same local network as their targets.<\/p>\n<h2>Legacy Features Still in Use<\/h2>\n<p>Link-Local Multicast Name Resolution (LLMNR) and its predecessor, NetBIOS Name Service (NBT-NS), were designed to help Windows systems find other devices when DNS lookups fail. However, these protocols trust any device that responds to their requests \u2013\u00a0an oversight that allows attackers to impersonate legitimate systems.<\/p>\n<p>By using tools such as Responder, a hacker can intercept these broadcasts and trick a victim machine into sending authentication data. The attacker then captures information including usernames, domain details and encrypted password hashes.<\/p>\n<p>\u201cThis attack does not rely on exploiting a software vulnerability,\u201d\u00a0the study said.<\/p>\n<p>\u201cIt takes advantage of default Windows behavior and only requires the attacker to be present on the same local network segment as the victim.\u201d<\/p>\n<p><em>Read more on authentication risks: Identity Risk Management: Locking Down Ephemeral Accounts<\/em><\/p>\n<h2>Growing Concern For Organizations<\/h2>\n<p>Once stolen, the captured data can be cracked offline or reused in what\u2019s known as a relay attack. This can provide direct access to corporate databases, file servers or administrative systems. In some cases, attackers may obtain passwords in cleartext, gaining immediate entry to sensitive data.<\/p>\n<p>Researchers warned that the consequences extend well beyond a single compromised device. Once attackers obtain valid credentials, they can move laterally across the network, accessing additional systems and resources.<\/p>\n<p>From there, they may escalate privileges by targeting high-value accounts such as administrators or service users, gaining broader control over the environment.<\/p>\n<p>This kind of access can lead to widespread data exposure, unauthorized changes to systems and even the disruption of critical business services or operational downtime. In large organizations, the impact can ripple across departments, making containment and recovery more complex.<\/p>\n<h2>Recommended Fixes<\/h2>\n<p>The study outlined several ways to mitigate the risk. Organizations are urged to:<\/p>\n<ul>\n<li>\n<p>Disable LLMNR and NBT-NS through Group Policy<\/p>\n<\/li>\n<li>\n<p>Block UDP port 5355 to prevent multicast queries<\/p>\n<\/li>\n<li>\n<p>Enforce SMB signing and reduce NTLM authentication<\/p>\n<\/li>\n<li>\n<p>Maintain accurate DNS configurations to avoid fallback lookups<\/p>\n<\/li>\n<\/ul>\n<p>Security teams are also encouraged to monitor for unusual traffic on these protocols, which may indicate active exploitation attempts.<\/p>\n<p>According to the report, LLMNR and NBT-NS poisoning remains one of the most common (and preventable) network attacks.<\/p>\n<p>\u201cThe most effective defense is to eliminate reliance on these legacy protocols by disabling LLMNR and NBT-NS, enforcing secure authentication methods such as Kerberos and ensuring DNS infrastructure is properly configured,\u201d Resecurity said.<\/p>\n<p>\u201cCombined with network monitoring and credential-hardening practices, these measures significantly reduce the risk of credential theft through broadcast poisoning attacks.\u201d<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>A new cybersecurity study has found that legacy Windows communication protocols continue to expose organizations to credential theft, even without exploiting software vulnerabilities. The research, published today by Resecurity, warned that attackers can capture login data simply by being on the same local network as their targets. Legacy Features Still in Use Link-Local Multicast Name<\/p>\n","protected":false},"author":2,"featured_media":3231,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-3230","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3230-ffda3755-1f7d-4944-8463-903511849bb9.jpg",300,300,false],"thumbnail":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3230-ffda3755-1f7d-4944-8463-903511849bb9-150x150.jpg",150,150,true],"medium":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3230-ffda3755-1f7d-4944-8463-903511849bb9.jpg",300,300,false],"medium_large":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3230-ffda3755-1f7d-4944-8463-903511849bb9.jpg",300,300,false],"large":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3230-ffda3755-1f7d-4944-8463-903511849bb9.jpg",300,300,false],"1536x1536":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3230-ffda3755-1f7d-4944-8463-903511849bb9.jpg",300,300,false],"2048x2048":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3230-ffda3755-1f7d-4944-8463-903511849bb9.jpg",300,300,false],"morenews-featured":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3230-ffda3755-1f7d-4944-8463-903511849bb9.jpg",300,300,false],"morenews-large":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3230-ffda3755-1f7d-4944-8463-903511849bb9.jpg",300,300,false],"morenews-medium":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3230-ffda3755-1f7d-4944-8463-903511849bb9.jpg",300,300,false],"crawlomatic_preview_image":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3230-ffda3755-1f7d-4944-8463-903511849bb9-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"https:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"<a href=\"https:\/\/ft365.org\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/3230","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=3230"}],"version-history":[{"count":0,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/3230\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/3231"}],"wp:attachment":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=3230"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=3230"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=3230"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}