NetBIOS Name Service Spoofing

While I was sleeping off the cyber-defense competition and spending some time with my wife over spring break, the security scene kept moving, of course. Yesterday, a friend of mine pasted me a link to an interesting attack. Interesting, in that it’s simple, obvious, and the sort of thing you kick yourself in the butt for not thinking of trying before.

Here is the blog entry by Sumit Siddharth, with a link to a more detailed writeup. It’s simple enough that the writeup is one page :) . The basic idea is that if a Windows host can’t find a domain name’s IP address by local information, DNS, or WINS, the next step is to look for it with a NetBIOS Name Service request (assuming that they have NetBIOS over TCP/IP enabled)..

These NBNS requests are sent out as broadcast UDP, and are just begging to have crafted responses sent back. So, if someone on the local network fat-fingered and tried to go to “example.cpm”, rather than “example.com”, Windows would wind up giving the local network a shot at it with NBNS. At this point, all the attacker has to do is send a response back with “oh yes, thank you, EXAMPLE.CPM is at [attacker-controlled ip]“.

How easy is that! I was aware of this behavior, as I have often observed it on networks when the uplink (and DNS server) is out of commission. Clients’ web browsers, email clients, spyware, and whatever else make Windows pump out NBNS requests for GMAIL.COM, POP.EXAMPLE.COM, WEATHERBUG.COM and the like. It never occurred to me to try and craft a response, so it’s a huge “duh” moment for me right now. I suppose I was always too annoyed at the network taking a dive than to think carefully about what I was seeing ;) .

So there’s a lesson learned: Every bit of unexpected behavior is a potential vector for a new attack.

There’s a link in the article to a tool, FakeNetbiosNS, which seems OK, although I’m pretty sure I’d rather write my own, using Scapy. This should make things very simple and allow me to work the results into just about any other kind of app I hack together in Python. So, I’m planning on doing just that, and as a bonus, if it goes well, I plan on documenting the development of it in some blog entries. I think it’d be helpful to some to see the process of creating a really simple tool from start to finish.