One of the easiest ways for us to capture and/or relay hashes on the network is through NBNS spoofing. We will primarily use Responder.py or the Metasploit nbns spoofing module . Both of these tools can be great for attackers to use during a pen test, but remediation options for fixing the underlying issues are limited. In response to a lack of available mitigation options, I’ve written a script to help identify NBNS spoofers on the network.
This script makes frequent NBNS requests for a non-existent host name (the default is NETSPITEST) and it then listens for NBNS responses. Since there shouldn’t be any responses for this host name, the listener will sit idle until a response is received. If a response is received, we will know that there’s a spoofer on the network. Once a spoofer is identified, email alerting and syslogging options are available to alert network administrators of the issue.
sudo python spoofspotter.py -i 192.168.1.161 -b 192.168.1.255 -n NBNSHOSTQUERY -s 192.168.1.2 -e firstname.lastname@example.org -f test.log
This example command will make custom queries for NBNSHOSTQUERY for the responder to respond to. It will send an email alert to email@example.com when an attack is identified and responses will also be logged to test.log
-i 192.168.1.110 The IP of this host
-b 192.168.1.255 The Broadcast IP of this host
-h, –help Show this help message and exit
-F /home/nbns.log File name to save a log file
-S true Log to local Syslog – this is pretty beta
-e firstname.lastname@example.org The email to receive alerts at
-s 192.168.1.109 Email Server to Send Emails to
-n EXAMPLEDOMAIN The string to query with NBNS, this should be unique
-R true The option to send Garbage SMB Auth requests to the attacker (not implemented yet)
-c true Continue Emailing After a Detection, could lead to spam
Example Script Output:
$ sudo python spoofspotter.py -i 192.168.1.161 -b 192.168.1.255 -n testfakehostname -s 192.168.1.2 -e email@example.com -f test.log Starting NBNS Request Thread... Starting UDP Response Server... A spoofed NBNS response for testfakehostname was detected by 192.168.1.161 at 2013-09-04 12:03:47.497274 from host 192.168.1.162 Email Sent A spoofed NBNS response for testfakehostname was detected by 192.168.1.161 at 2013-09-04 12:03:49.549245 from host 192.168.1.162 A spoofed NBNS response for testfakehostname was detected by 192.168.1.161 at 2013-09-04 12:03:51.600981 from host 192.168.1.162 A spoofed NBNS response for testfakehostname was detected by 192.168.1.161 at 2013-09-04 12:03:53.657044 from host 192.168.1.162 A spoofed NBNS response for testfakehostname was detected by 192.168.1.161 at 2013-09-04 12:03:55.721037 from host 192.168.1.162 ^C Stopping Server and Exiting...
The script is available out on NetSPI’s github page: https://github.com/NetSPI/SpoofSpotter
There is an additional option that I’m currently working on, to make your pen tester especially annoyed. The –R flag will set the SMB response option to try and authenticate with the spoofer’s system. Since the NBNS spoofing attacks are used to capture (or relay hashes), why not send the attacker some hashes. Why not send a ton of them and make the attacker take their time trying to crack them, or just overload their logs. This will probably annoy an attacker more than anything else, but anything to make their attack harder may give you extra time to respond.
On that note, it was a little difficult for me to write this tool, as I have a feeling it will come back to haunt me in a future pen test. Feel free to send me any comments or feedback on the script through this blog or through our github page.
Special thanks go out to our client who had the idea for this script.