NetBIOS protocol is susceptible to spoofing
A small introduction to the work of the NetBIOS protocol.
When Windows tries to rezolving the network name, Windows first accesses the DNS. Further, if nobody intervened in the DHCP request and did not change the DNS server to its own, and if no one performed an ARP spoofing attack to redirect traffic, then the request would reach the specified DNS. In turn, the DNS will provide the required IP address.
If the DNS query was not successful (for example, a DNS server is not available), Windows will attempt to rezolving the network name using the NetBIOS protocol (NBNS). It is NetBIOS rezolving that allows you to ping SOMEPC (the name on the network), and if SOMEPC is enabled and is on the network, the name SOMEPC will be converted to an IP address. The most interesting thing is that it all comes down to a broadcast request - “Who owns SOMEPC?” And a computer that has the name SOMEPC will respond - “Hey, it's me!”.
But what prevents an attacker from impersonating SOMEPC (or any other name)?
')
One of the utilities in the NBTool package, called nbpoison, intercepts the NBNS (NetBIOS Name Query packet) broadcast requests on the network and answers the addresses (NetBIOS Name Query Response packet) that sent the request, replacing the IP address with its own. In addition, if you use the -c key (conflict flag), the newly loaded host will receive a message that the name assigned to it is already in use on the network.
Those. the script will look like this:
FREDSBOX: (just downloaded and registered on the network) - “Hey guys, for your attention - my name is on the FREDSBOX network”
Attacker: “No, dear, you are mistaken - I am FREDSBOX”.
FREDSBOX: “Okay, sorry.” (From this point on, FREDSBOX no longer responds to requests that come to his name)
And so, for example, we want to respond to all NBNS broadcast requests in the segment 172.21.49.0/24 with our address 172.21.49.129 and redirect all requests to your computer. To do this, run nbpoison with parameters:
In the screenshot we can see that when pinging a non-existent NONAMESERVER1 address, the resolving of the given name occurs and the answer to the ping (echo-reply) from the address 172.21.49.129, i.e. the one we specified in the nbpoison utility parameters. Another point that is worth paying attention to is that you need to run the nbpoison utility on behalf of the superuser (root), since The utility works with the privileged UDP port 137.
Now consider several types of attacks in practice:
Imagine a situation when the corporate DNS server for any reason became unavailable: for example, the uplink of the switch to which your network is connected is physically (intentionally) turned off, or there was a failure in the configuration of the router, firewall, or a failure on the corporate DNS can reach the DNS.
Consequently, as mentioned above, Windows, when a network name is not resolved successfully, tries to perform a resolving using the means of NetBIOS (NetBIOS Name Service).
And so, as you can see, a Linux computer was used to replace the WEB page. Instead of this page, it was possible to display a fake page of some popular mail service such as gmail or some kind of social networking portal. And all entered passwords to collect and log.
The following type of attack, which we will consider, can be used to monitor WPAD requests and collect corporate confidential user data. This attack method can be applicable when the “Automatically detect proxy settings for this network” option is in the browser. Both Internet Explorer and Mozilla Firefox support this feature so that the network administrator can automatically report the settings of the corporate proxy server. In this situation, by replacing the NBNS request, we can tell the victim to use our WPAD script, which will redirect the request to ssltrip configured to listen on port 8080 and we can see a lot of interesting things.
When Windows tries to rezolving the network name, Windows first accesses the DNS. Further, if nobody intervened in the DHCP request and did not change the DNS server to its own, and if no one performed an ARP spoofing attack to redirect traffic, then the request would reach the specified DNS. In turn, the DNS will provide the required IP address.
If the DNS query was not successful (for example, a DNS server is not available), Windows will attempt to rezolving the network name using the NetBIOS protocol (NBNS). It is NetBIOS rezolving that allows you to ping SOMEPC (the name on the network), and if SOMEPC is enabled and is on the network, the name SOMEPC will be converted to an IP address. The most interesting thing is that it all comes down to a broadcast request - “Who owns SOMEPC?” And a computer that has the name SOMEPC will respond - “Hey, it's me!”.
But what prevents an attacker from impersonating SOMEPC (or any other name)?
')
NBTool
One of the utilities in the NBTool package, called nbpoison, intercepts the NBNS (NetBIOS Name Query packet) broadcast requests on the network and answers the addresses (NetBIOS Name Query Response packet) that sent the request, replacing the IP address with its own. In addition, if you use the -c key (conflict flag), the newly loaded host will receive a message that the name assigned to it is already in use on the network.
Those. the script will look like this:
FREDSBOX: (just downloaded and registered on the network) - “Hey guys, for your attention - my name is on the FREDSBOX network”
Attacker: “No, dear, you are mistaken - I am FREDSBOX”.
FREDSBOX: “Okay, sorry.” (From this point on, FREDSBOX no longer responds to requests that come to his name)
And so, for example, we want to respond to all NBNS broadcast requests in the segment 172.21.49.0/24 with our address 172.21.49.129 and redirect all requests to your computer. To do this, run nbpoison with parameters:
sudo ./nbpoison -s 172.21.49.129In the screenshot we can see that when pinging a non-existent NONAMESERVER1 address, the resolving of the given name occurs and the answer to the ping (echo-reply) from the address 172.21.49.129, i.e. the one we specified in the nbpoison utility parameters. Another point that is worth paying attention to is that you need to run the nbpoison utility on behalf of the superuser (root), since The utility works with the privileged UDP port 137.
Now consider several types of attacks in practice:
Imagine a situation when the corporate DNS server for any reason became unavailable: for example, the uplink of the switch to which your network is connected is physically (intentionally) turned off, or there was a failure in the configuration of the router, firewall, or a failure on the corporate DNS can reach the DNS.
Consequently, as mentioned above, Windows, when a network name is not resolved successfully, tries to perform a resolving using the means of NetBIOS (NetBIOS Name Service).
And so, as you can see, a Linux computer was used to replace the WEB page. Instead of this page, it was possible to display a fake page of some popular mail service such as gmail or some kind of social networking portal. And all entered passwords to collect and log.
The following type of attack, which we will consider, can be used to monitor WPAD requests and collect corporate confidential user data. This attack method can be applicable when the “Automatically detect proxy settings for this network” option is in the browser. Both Internet Explorer and Mozilla Firefox support this feature so that the network administrator can automatically report the settings of the corporate proxy server. In this situation, by replacing the NBNS request, we can tell the victim to use our WPAD script, which will redirect the request to ssltrip configured to listen on port 8080 and we can see a lot of interesting things.
Source: https://habr.com/ru/post/82085/
All Articles