Tim Medin, over at the excellent Packetstan blog, just wrote up an excellent post detailing the implementation of a NBNS spoofing module which has been added to the the latest Metasploit trunk:

This module is based off an old tool, nbnspoof.py, that I wrote to perform this attack, originally described (as nearly as I can tell) by Sumit Siddharth. It’s a very simple attack, taking advantage of the way Windows proceeds to NetBIOS Name Service lookups once local and DNS lookups fail. If you’ve ever turned a careful eye to broadcast traffic on any network with Windows systems, you’ve probably noticed that a surprising number of lookups fail through to NBNS for various reasons.

Tim does a great job of describing how the spoofing works, how to use it in the context of a penetration test, and how the module was developed. Due to its integration into the current version of the Metasploit framework, I’d have to say that I recommend it over the original python version. Maybe one day soon I’ll one-up him and try to turn it into a meterpreter post-exploitation script, in order to hijack remote hosts into being spoofers ;-) .

Until then, and in related news, I’ve submitted a talk on some other forms of Metasploit sorcery that I have developed recently to Defcon (and tomorrow to Blackhat once the CFP opens). With any luck I’ll be speaking at one or the other later this year. Either way, I’ll see some of my readers there, hopefully!

  5 Responses to “NBNS Spoofing in Metasploit”

  1. Method of snatching credentials in there somewhere I presume?

    • Tim’s post presents one scenario for harvesting hashes. There’s not anything built into my tool beyond the spoofing step (nor in Tim’s module, in isolation from the rest of the framework), since there’s a lot of different attacks that can take place as a result of the spoofing. Basically, any kind of passive logging or active exploitation you’d do once you manage to spoof DNS, you can do after spoofing NBNS. The only real concern is that in exchange for having something easier to spoof (since the requests are sent to the broadcast address), you’re limited to the local network.

  2. Ive screwed around with dns spoofing with ettercap and redirected people to a site on my laptop many times for the lulz, but, couldnt that be avoided by simply having manual dns servers entered in your settings? Or is that not going to help at all? Not trollin, honest question.

    • Depends on what you’re doing to spoof DNS. If you’re trying to fool them into thinking your IP is their DNS server (trying to beat their DHCP responses or something), then yeah, entering manual servers will help. I’m not familiar with how Ettercap does DNS spoofing (only used it ages ago, and only then for ARP poisoning).

      What I normally think of when I think of DNS spoofing is either beating DNS responses (if I can see them and get the source port and request number right) or something like Kaminsky’s attack from a few years ago where I can poison entries. In these kinds of situations, it really doesn’t matter what they think their DNS server is, and you even have the potential to do it to the DNS servers themselves, making them cache spoofed responses for some time to serve out to everyone that uses the server.

      Short answer: not going to help, unless you’re manipulating how they get their DNS server in the first place, and that’s not necessarily how DNS spoofing is always done.

  3. yeah but im not too worried about my security here because I use windows 98

 Leave a Reply



You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

© 2012 McGrew Security Suffusion theme by Sayontan Sinha