nbsniff – Abusing the Netbios Name Lookup Service

This is a very short post, basically pointing you at someone elses site for something awesome, however, seeing as it is kind of a hot topic, I may as well write SOMETHING about it.

Recently there was a massive stir about the “FLAME” malware (which I am working on an article about) using a MITM attack to propegate, by hijacking Microsoft Update(s).

Pretty cool, no?

Well, first off, lets look at how it went about it.
First off, it used the NetBIOS hijacking technique (wherin, any netbios name lookup was answered with “ME”) to give victims a bogus WPAD.dat file.

“lolwat”?
Ok. When your computer is looking up another computer, it first tries DNS to see can it resolve the domain to an IP. Hijacking someones DNS is trivial, but requires a full on ARP poisoning, or rerouting, attack, which is pretty involved. So. If the domain DOESN’T resolve, the computer broadcasts a “NetBIOS Name Lookup” to EVERYONE, and in theory, only a computer with a matching name will reply.

This is where we come in. We reply with “Yeah, thats us!” to their request, and they then “trust” that we are who they are looking for.

So. When their computer automatically checks is there a WPAD server (Web Proxy Auto Discovery – a server on the network that tells computers what proxy settings to use) – we tell them “yo, thats me”. And serve up a malicious WPAD.dat file. Which, could make them simply route all their traffic through a logging proxy on our box, but in this case, simply tells them that we are their Windows Update providers.

When they then request updates, we go “here” and give them their Windows Updates (actually malware).

A fairly trivial attack really… Though Ron over at SkullSecurity can provide you with software to do this kind of thing, and likely explains it better :)

So without further ado, here be links to some software and stuff for you to play with :)
http://www.skullsecurity.org/wiki/index.php/Nbtool
http://www.skullsecurity.org/wiki/index.php/Nbsniff
SkullSecurity – Pwning Hotel Guests