Wednesday, February 20, 2008

Pentester trick #2: faking NetBIOS names

Trick #2: faking NetBIOS names

There has been a buzz at BlackHat US 2007 around H.D.Moore+Valsmith attack against Internet Explorer autoconfiguration feature.

To sum up, if anything is named after "WPAD" on the network, it will be considered as the enterprise Web proxy by Internet Explorer.

The original attack is based on the "Dynamic DNS Update" feature of Windows DNS servers. DNS updates can be:
  • DNS-based, unauthenticated. Game over.
  • DNS-based, authenticated. Nice try, but since any domain user can create up to 10 computer accounts in Active Directory, it is quite easy to name a computer "WPAD", join a domain and authenticate.
  • DHCP-based. Game over, too: the DNS server will blindly trust your host name.
Ok, but what if "Dynamic DNS Update" feature has been disabled? Or if you need to quickly register names? Joining a new computer to the domain is not an option in this case.

Fortunately, everybody who has sniffed a Windows network for more than 5 minutes knows that most Windows clients "in the wild" use misconfigured name resolution: they rely on NBNS (NetBIOS Name Service) as a fallback.

So how could you take advantage of a broadcasted NBNS request for "WPAD" (or anything else) to redirect target's traffic?

One solution would be to use FakeNetBIOS tools, but they rely on raw sockets, which are broken on Windows XP SP2. Another would be to use Scapy as a NBNS responder, but Windows port is not mature yet :)

As usual, the best solution is to rely on Windows built-in mechanisms to solve the puzzle.

Under HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters, there is a value of type REG_MULTI_SZ called OptionalNames.

Any name put in there will be claimed by the local computer during NBNS name resolution. Then:

net stop lanmanserver
net start lanmanserver

Job done!

No comments: