NetBIOS Spoofing

The other day I came across a post at skullsecurity.org that spoke about an interesting way of using NetBIOS name service for doing MiTM attack. The author showed how his tool nbpoison could be used to inject false NetBIOS information on the wire and spoof other hosts.

This is very interesting form of doing MiTM as there is no arp-spoofing involved and that is good, since every Tom, Dick and Harry’s device in the network today detects/blocks arp-poisoning kind of attacks. Also, arp-spoofing is way to noisy and can easily give away attackers presence in the network. Not to mention that its a old-school attack that has been there for quite some time now.

So, I decided to explore this and have some fun using the nbtools and figure out what all attacks can be made possible in my Lab. I have in all 3 machines in my lab - 2 WinXP Hosts and 1 Linux host which acts as the gateway for the windoze boxes. As the author has mentioned, this attacks are more useful in hotels or conferences where there are internet kiosks with captive portal authentication mechanisms.

Scenario 1: DNS Choking

This attack is useful when, for some reason, DNS server on a network is not reachable. There could be multiple possibilities -either uplink of the switch you are connected to is (purposely) physically disconnected or network/firewall miss-configuration or DNS server/service itself is down. Even some captive portals prevent access to any resources before you authenticate. So, if the DNS server is not available, as a last resort, Windoze will fall back to NetBIOS name resolution and this is where we can 0wn the box.


So, as you can see, webserver on the Linux box was used to host the fake page which could have been anything from fake captive portal logins to fake Gmail login page to trick the user into entering his credentials. In the above scenario, I had blocked all connections from the victims (10.10.10.7) machine using iptables on the gateway (Linux Box). FYI, the nbpoison tool can be run on any machine and need not be on the gateway.

Scenario 2: Abusing WPAD Requests

This type of attack is useful when browsers have the “Automatically detect settings” enabled in the “LAN Settings” menu. IE and Firefox both have this setting in order enable network administrators to automatically configure proxy settings. This is made possible using WPAD (Web Proxy Auto Discovery) protocol which also uses NetBIOS requests to look for the “wpad.dat” file. This is nothing but a simple plain-text configuration file that tells the browser which proxy to connect to for browsing the internet.

So, here we use the famous “sslstrip” to force HTTPS connection to HTTP and sniff passwords in clear text. Like before, we use the webserver on the Linux box to host the wpad.dat file which redirects the victims browser to sslstrip (running on port 8080) and we get to see all the good stuff :) !

The possibilities in this scenario are endless. We could use our own proxy, something like Paros to completely manipulate the victims browsing experience. But I will leave all the evil thinking to the reader as an exercise ;)

** DISCLAIMER: This is meant as a pure instructional tutorial. I am not responsible for the damages caused by any script-kiddies stupidity or lack of understanding thereof. No harm in any form was caused to anybody in the making of this tutorial.