Old School On-Target NBNS Spoofing

Sunday, September 30, 2012

Rob Fuller


One of pen testers favorite attacks is NBNS spoofing.

Now Wesley who I originally learned this attack from, traced this back to sid (http://www.notsosecure.com/folder2/2007/03/14/abusing-tcpip-name-resolution-in-windows-to-carry-out-phishing-attacks/) . Wesley's stuff can be found here: http://www.mcgrewsecurity.com/tools/nbnspoof/

Wesley's stuff eventually lead to this awesome post on the Packetstan blog: http://www.packetstan.com/2011/03/nbns-spoofing-on-your-way-to-world.html

and in that post the Metasploit module to do it all is demoed. But there in lies the rub. With each degree of separation we have more and more solidified in into a "on-site" only attack.

But if you read through Sid's paper from 2007 this doesn't have to be the case. He uses a tool written by "Patrick Chambet" back in 2005 for the Honeynet project: http://seclists.org/honeypots/2005/q4/46 called "FakeNetbiosDGM and FakeNetbiosNS".

Finding the tools was no easy task though, googling for the file name, the author or the project just netted me this link:


Gotta love the Wayback Machine, I finally found it here: http://wayback.archive.org/web/*/http://honeynet.rstack.org/tools/FakeNetBIOS-0.91.zip

and eventually also here (on the author's site of all places): http://www.chambet.com/tools.html

Question is, does it still work?? 2nd Question, how well does it work through/with Meterpreter?

(As a side note, I haven't tried, but you might be able to use Py2Exe or PyInstaller to run nbnspoof.py on a windows box)

When running it on XP SP3 I get the following

Screen Shot 2012 09 02 at 12 24 44 AM

Booooooooo, and on Windows 7 I get this:

Screen Shot 2012 09 02 at 12 29 03 AM

Ok, error 10013 is a permissions issue, I can deal with that..

Screen Shot 2012 09 02 at 12 32 38 AM

Run as Administrator it works! But something is wrong with the communication because the host doing the lookup doesn't get the correct resolution back.

From what I can google it looks as though Windows Firewall has an 'Anti-Spoofing' outbound filter, so these "Bytes sent" don't even make it to Wireshark.

I have created a Github repository, stuck the contents of the zip file in it and this is where I ask for help. If you know 1) how to disable the Windows Anti-spoofing filter or 2) How to circumvent it please leave a comment here, and issue on the repo or email me directly.

UPDATE (1&2 solved for this use case): http://www.room362.com/blog/2012/9/2/old-school-on-target-nbns-spoofing-part-2.html

The other thing is, if you want to improve the code, that would be awesome too, submit a pull request, I'd love to get this thing going again and make it into something that we can solidly use over a Meterpreter session.

Github repo: https://github.com/mubix/FakeNetBIOS

And if the only commit to this repo 5 years from now is "Initial commit" then at the very least it will be some where the next blogger who picks up the trail can get it from.

P.S. If you know how to solve the issue on XP, that would be an awesome fix as well.

UPDATE 2: Looks like the XP issue ahas the Anti-spoofing too. (i.e it works great if you use the IP of the actual IP of the box with different hostnames)

I guess the only improvement I'd look for is for an .* (ALL HOSTS) ability.

Old School On-target NBNS Spoofing - Part 2

So it turns out that Windows Firewall talks IP addresses just like any other firewall, so if you configure FakeNetBIOSNS to tell everyone that the IP address for whatever they looked up is YOUR IP, guess what, no need to bypass the spoof filters ;-) Happy Rob!

$ cat nbns.ini

Screen Shot 2012 09 02 at 1 36 14 AM

Results in:

Screen Shot 2012 09 02 at 1 35 58 AM

Game ON!

Cross-posted from Room362

Possibly Related Articles:
Network Access Control
Information Security
Hacking Penetration Testing Metasploit Network Security Meterpreter Spoofing Tutorial NBNS
Post Rating I Like this!
addie baldric So it revolves out that Windows Firewall talks IP addresses just like any other firewall, works good if you use the IP of the actual IP of the box with different hostnames,... http://www.needpaperhelp.com
George Kennedy So it rotates out that Windows Firewall talks IP addresses much the same as some other firewall, meets expectations great in the event that you utilize the IP of the real IP of the case with diverse hostnames...http://www.brilliantessays.net/fast-essay-writing.php
Tally Shaw It pretty much resolves Windows firewall issues. Making a Github repository is a nice idea but disabling Window-spoofing filter is different I think. http://www.essayarsenal.co.uk/essay-writing-service-uk.aspx
Wilfred Milne This is what I think is the biggest part of the area which you led to know about how it will begin here.
carson Perry Excellent article. Very interesting to read. I really love to read such a nice article. Thanks!
Yvonne Finch I like to see this type of work from your site this is an interesting one I really like the idea of yours here.
Robert Juker Nice article, though I personally didn't like the way you referred the newbies as dummies research paper help
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.