NetSPI Blog

Identifying Rogue NBNS Spoofers

Karl Fosaaen
September 5th, 2013

One of the easiest ways for us to capture and/or relay hashes on the network is through NBNS spoofing. We will primarily use Responder.py or the Metasploit nbns spoofing module . Both of these tools can be great for attackers to use during a pen test, but remediation options for fixing the underlying issues are limited. In response to a lack of available mitigation options, I’ve written a script to help identify NBNS spoofers on the network.

This script makes frequent NBNS requests for a non-existent host name (the default is NETSPITEST) and it then listens for NBNS responses. Since there shouldn’t be any responses for this host name, the listener will sit idle until a response is received. If a response is received, we will know that there’s a spoofer on the network. Once a spoofer is identified, email alerting and syslogging options are available to alert network administrators of the issue.

Example Usage:

sudo python spoofspotter.py -i 192.168.1.161 -b 192.168.1.255 -n NBNSHOSTQUERY -s 192.168.1.2 -e karl.fosaaen@example.com -f test.log

This example command will make custom queries for NBNSHOSTQUERY for the responder to respond to. It will send an email alert to karl.fosaaen@example.com when an attack is identified and responses will also be logged to test.log

Required arguments:

-i 192.168.1.110      The IP of this host

-b 192.168.1.255     The Broadcast IP of this host

Optional arguments

-h, –help            Show this help message and exit

-f /home/nbns.log,

-F /home/nbns.log                             File name to save a log file

-S true               Log to local Syslog – this is pretty beta

-e you@example.com    The email to receive alerts at

-s 192.168.1.109      Email Server to Send Emails to

-n EXAMPLEDOMAIN      The string to query with NBNS, this should be unique

-R true               The option to send Garbage SMB Auth requests to the attacker (not implemented yet)

-c true               Continue Emailing After a Detection, could lead to spam

Example Script Output:

$ sudo python spoofspotter.py -i 192.168.1.161 -b 192.168.1.255 -n testfakehostname -s 192.168.1.2 -e karl.fosaaen@netspi.com -f test.log
Starting NBNS Request Thread...
Starting UDP Response Server...
A spoofed NBNS response for testfakehostname was detected by 192.168.1.161 at 2013-09-04 12:03:47.497274 from host 192.168.1.162
Email Sent
A spoofed NBNS response for testfakehostname was detected by 192.168.1.161 at 2013-09-04 12:03:49.549245 from host 192.168.1.162
A spoofed NBNS response for testfakehostname was detected by 192.168.1.161 at 2013-09-04 12:03:51.600981 from host 192.168.1.162
A spoofed NBNS response for testfakehostname was detected by 192.168.1.161 at 2013-09-04 12:03:53.657044 from host 192.168.1.162
A spoofed NBNS response for testfakehostname was detected by 192.168.1.161 at 2013-09-04 12:03:55.721037 from host 192.168.1.162
^C
Stopping Server and Exiting...

The script is available out on NetSPI’s github page: https://github.com/NetSPI/SpoofSpotter

There is an additional option that I’m currently working on, to make your pen tester especially annoyed. The –R flag will set the SMB response option to try and authenticate with the spoofer’s system. Since the NBNS spoofing attacks are used to capture (or relay hashes), why not send the attacker some hashes. Why not send a ton of them and make the attacker take their time trying to crack them, or just overload their logs. This will probably annoy an attacker more than anything else, but anything to make their attack harder may give you extra time to respond.

On that note, it was a little difficult for me to write this tool, as I have a feeling it will come back to haunt me in a future pen test. Feel free to send me any comments or feedback on the script through this blog or through our github page.

Special thanks go out to our client who had the idea for this script.

image_pdfimage_print
12 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Jack
7 years ago

Great article, Karl.

One question: can you point toward a resource or tool which is capable of spoofing NBNS replies AND relaying SMB authentication as opposed to capturing with a known server challenge?

Thanks!

Fiasco Averted
Fiasco Averted
7 years ago

Correct me if I’m wrong, but this only protects against pentesters/attackers who aren’t targeting what they spoof for. If they spoof on only known real NetBios names, this thwarts the tool. The smallest of recon would stop this – but stopping low-hanging-fruit has value. A small edit of only requesting a realistic, but false NetBios name would make it slightly more difficult, forcing the attacker/tester to prove that a NetBios name exists before spoofing it. More intensive would be to base-line one or many real NetBios names and their proper replies and then continually requesting known good names and searching… Read more »

Danny
Danny
6 years ago

Hey Karl, This is a fantastic idea. Exactly what I’ve been looking for! Are there any requirements for running this script, aside from having scapy installed? Perhaps a specific version of Python? When running this script (as root) using Python 2.7.5 on Fedora 19, I get the following error — regardless of which arguments I pass to the script: “Server could not be started, confirm you’re running this as root. Unhandled exception in thread started by sys.excepthook is missing lost sys.stderr” Sorry to ask technical questions on your blog. I wasn’t sure of the best way to reach you. Thanks… Read more »

Danny
Danny
6 years ago
Reply to  Karl Fosaaen

Karl,

Here are the commands I’ve tried:

python spoofspotter.py -i 192.168.1.20 -b 192.168.1.255

sudo python spoofspotter.py -i 192.168.1.20 -b 192.168.1.255

Thanks again for your help!

Danny

VideoMan
6 years ago

Nice job Karl!

Responder now has a spiffy “Analyze” mode to combat this.

-David

Mike Goff
Mike Goff
4 years ago

Karl,

Help out a new guy here. I am sure I don’t have a dependency working correctly here. I have installed your script on Ubuntu 14.04.4 LTS. When I try and run it, I get was getting a scapy error, so I THINK I correctly installed scapy but I am not really sure. Do you have a list of which dependencies I need to have to make this work?
Thanks,
Mike