This Metasploit module continuously spams NetBIOS responses to a target for given hostname, causing the target to cache a malicious address for this name. On high-speed local networks, the PPSRATE value should be increased to speed up this attack. As an example, a value of around 30,000 is almost 100% successful when spoofing a response for a WPAD lookup. Distant targets may require more time and lower rates for a successful attack.
4c46a17b6b28a0831bd545f008514748b910a2c34d2ae38a4055e1330ff321bcThis Metasploit module listens for a NetBIOS name request and then continuously spams NetBIOS responses to a target for given hostname, causing the target to cache a malicious address for this name. On high-speed networks, the PPSRATE value should be increased to speed up this attack. As an example, a value of around 30,000 is almost 100% successful when spoofing a response for a WPAD lookup. Distant targets may require more time and lower rates for a successful attack. This Metasploit module works when the target is behind a NAT gateway, since the stream of NetBIOS responses will keep the NAT mapping alive after the initial setup. To trigger the initial NetBIOS request to the Metasploit system, force the target to access a UNC link pointing to the same address (HTML, Office attachment, etc). This NAT-piercing issue was named the BadTunnel vulnerability by the discoverer, Yu Yang (@tombkeeper). The Microsoft patches (MS16-063/MS16-077) impact the way that the proxy host (WPAD) host is identified, but do change the predictability of NetBIOS requests.
d5dfa1bfa123e24ddb241e14436bdef941a832ae76b1f53bde9a4e4f19a2bd81Xcon 2005: I want to see farther
b915fe90362db76cec184c3a1d6e71e00a87d32076bff84f7c84c37374aff602
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed