| blog | tools | publications | media |

subscribe to site updates: rss feed

contact Wesley McGrew: | email - wesley@mcgrewsecurity.com | gpg key | aim - wesleymcgrew | twitter - mcgrewsecurity |

NBNSpoof - NetBIOS Name Service Spoofer

Introduction

NBNSpoof is a tool for automatically crafting responses to NetBIOS Name Service (NBNS) name queries. When Windows machines fail to resolve domain names by DNS and WINS, they will send a broadcast NBNS query to see if the name in question matches any computer names on the local network. Crafting responses to these requests can be especially useful to an attacker in situations where the victim mis-types a domain name, or if the DNS server is unreachable.

NBNSpoof is a penetration testing tool designed to demonstrate this attack, and also serves as a useful illustration of how to develop small network security tools, as the creation of it has been documented in a short series of posts to this site.

• Introduction
  • Sumit Siddharth's original blog posting on the topic
• Developing a NetBIOS Name Service Spoofer : Part 1
• Developing a NetBIOS Name Service Spoofer : Part 2
• Developing a NetBIOS Name Service Spoofer : Part 3

Download

NBNSpoof requires a working installation of both Python and the Scapy framework for sniffing and crafting packets. If you're into this sort of thing, you'll get to liking Scapy anyway :) . You can download NBNSpoof here:

• nbnspoof.py

Usage

nbnspoof.py [-v] -i <interface> -n <regexp> -h <ip address> -m <MAC>

-v Verbose output of sniffed NBNS name queries, and responses sent

-i The interface you want to sniff and send on

-n A regular expression applied to each query to determine whether a
   spoofed response will be sent
	   
-h The IP address that will be sent in spoofed responses

-m The source MAC address for spoofed responses

For more detailed information, you may want to read up in the above-linked blog entries, and perhaps a bit of source-diving (it's really short!) ;) .