What is the role of LLMNR, NBSS and NBNS protocols in WannaCry?
I know that LLMNR is the "new version" of NetBIOS and both of them are basically for resolving names to IP addresses
I also know some exploits based on them, like a MiTM attack that the attacker sends a malicious response to the victim when the victim asks the IP address of a machine
But I don't understand their rules in the wannacry attack?
I have a PCAP capture file that I am assuming is doing the WannaCry attack, and In a video I was watching the guy says if you see a lot of llmnr in a capture its a red flag for eternal blue/wannacry
And indeed in this capture there is a LOT of LLMNR, NBSS and NBNS packets, and NetworkMiner says it suspects the eternal blue exploit as well and points to these NBSS packets, but I cant understand the content of them
I see a lot Name Query NB WPAD, Refresh NB and registration NB
also all of the llmnr packets are standard query "a hex number" A or something similar (like A wpad, ANY "a VM name", A isatap)
but I don't understand what they are doing?
can someone ELI5 what is their role in the attack without getting into too much detail?
I watched a lot of videos regarding this but non of them really answered this
Basically What I'm asking is this:
How these protocols are used in the WannaCry attack? why there are a lot of these packets in a pcap file of a network that was attacked by WannaCry?
(I did watch a lot of videos and articles about this attack and about these protocols but i still dont get the connection!)
