NetSPI Blog

Identifying Rogue NBNS Spoofers

Karl Fosaaen
September 5th, 2013

One of the easiest ways for us to capture and/or relay hashes on the network is through NBNS spoofing. We will primarily use Responder.py or the Metasploit nbns spoofing module . Both of these tools can be great for attackers to use during a pen test, but remediation options for fixing the underlying issues are limited. In response to a lack of available mitigation options, I’ve written a script to help identify NBNS spoofers on the network.

This script makes frequent NBNS requests for a non-existent host name (the default is NETSPITEST) and it then listens for NBNS responses. Since there shouldn’t be any responses for this host name, the listener will sit idle until a response is received. If a response is received, we will know that there’s a spoofer on the network. Once a spoofer is identified, email alerting and syslogging options are available to alert network administrators of the issue.

Example Usage:

sudo python spoofspotter.py -i 192.168.1.161 -b 192.168.1.255 -n NBNSHOSTQUERY -s 192.168.1.2 -e karl.fosaaen@example.com -f test.log

This example command will make custom queries for NBNSHOSTQUERY for the responder to respond to. It will send an email alert to karl.fosaaen@example.com when an attack is identified and responses will also be logged to test.log

Required arguments:

-i 192.168.1.110      The IP of this host

-b 192.168.1.255     The Broadcast IP of this host

Optional arguments

-h, –help            Show this help message and exit

-f /home/nbns.log,

-F /home/nbns.log                             File name to save a log file

-S true               Log to local Syslog – this is pretty beta

-e you@example.com    The email to receive alerts at

-s 192.168.1.109      Email Server to Send Emails to

-n EXAMPLEDOMAIN      The string to query with NBNS, this should be unique

-R true               The option to send Garbage SMB Auth requests to the attacker (not implemented yet)

-c true               Continue Emailing After a Detection, could lead to spam

Example Script Output:

$ sudo python spoofspotter.py -i 192.168.1.161 -b 192.168.1.255 -n testfakehostname -s 192.168.1.2 -e karl.fosaaen@netspi.com -f test.log
Starting NBNS Request Thread...
Starting UDP Response Server...
A spoofed NBNS response for testfakehostname was detected by 192.168.1.161 at 2013-09-04 12:03:47.497274 from host 192.168.1.162
Email Sent
A spoofed NBNS response for testfakehostname was detected by 192.168.1.161 at 2013-09-04 12:03:49.549245 from host 192.168.1.162
A spoofed NBNS response for testfakehostname was detected by 192.168.1.161 at 2013-09-04 12:03:51.600981 from host 192.168.1.162
A spoofed NBNS response for testfakehostname was detected by 192.168.1.161 at 2013-09-04 12:03:53.657044 from host 192.168.1.162
A spoofed NBNS response for testfakehostname was detected by 192.168.1.161 at 2013-09-04 12:03:55.721037 from host 192.168.1.162
^C
Stopping Server and Exiting...

The script is available out on NetSPI’s github page: https://github.com/NetSPI/SpoofSpotter

There is an additional option that I’m currently working on, to make your pen tester especially annoyed. The –R flag will set the SMB response option to try and authenticate with the spoofer’s system. Since the NBNS spoofing attacks are used to capture (or relay hashes), why not send the attacker some hashes. Why not send a ton of them and make the attacker take their time trying to crack them, or just overload their logs. This will probably annoy an attacker more than anything else, but anything to make their attack harder may give you extra time to respond.

On that note, it was a little difficult for me to write this tool, as I have a feeling it will come back to haunt me in a future pen test. Feel free to send me any comments or feedback on the script through this blog or through our github page.

Special thanks go out to our client who had the idea for this script.

12
Leave a Reply

avatar
6 Comment threads
6 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
3 Comment authors
Karl FosaaenMike GoffVideoManDannyFiasco Averted Recent comment authors

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
newest oldest
Notify of
Jack
Guest

Great article, Karl.

One question: can you point toward a resource or tool which is capable of spoofing NBNS replies AND relaying SMB authentication as opposed to capturing with a known server challenge?

Thanks!

Fiasco Averted
Guest
Fiasco Averted

Correct me if I’m wrong, but this only protects against pentesters/attackers who aren’t targeting what they spoof for. If they spoof on only known real NetBios names, this thwarts the tool. The smallest of recon would stop this – but stopping low-hanging-fruit has value. A small edit of only requesting a realistic, but false NetBios name would make it slightly more difficult, forcing the attacker/tester to prove that a NetBios name exists before spoofing it. More intensive would be to base-line one or many real NetBios names and their proper replies and then continually requesting known good names and searching… Read more »

Danny
Guest
Danny

Hey Karl,

This is a fantastic idea. Exactly what I’ve been looking for!

Are there any requirements for running this script, aside from having scapy installed? Perhaps a specific version of Python?

When running this script (as root) using Python 2.7.5 on Fedora 19, I get the following error — regardless of which arguments I pass to the script:

“Server could not be started, confirm you’re running this as root.
Unhandled exception in thread started by
sys.excepthook is missing
lost sys.stderr”

Sorry to ask technical questions on your blog. I wasn’t sure of the best way to reach you. Thanks again!

Danny

VideoMan
Guest

Nice job Karl!

Responder now has a spiffy “Analyze” mode to combat this.

-David

Mike Goff
Guest
Mike Goff

Karl,

Help out a new guy here. I am sure I don’t have a dependency working correctly here. I have installed your script on Ubuntu 14.04.4 LTS. When I try and run it, I get was getting a scapy error, so I THINK I correctly installed scapy but I am not really sure. Do you have a list of which dependencies I need to have to make this work?
Thanks,
Mike