Adding LLMNR spoofing auxiliary module

[robin-francois]

This auxiliary module, greatly inspired by the NBNS spoofing, is spoofing LLMNR (Link Local Multicast Name Resolution - which is the successor of NetBIOS since Windows Vista) by responding to multicast queries with unicast spoofed responses.

[robin-francois]

Easy to test module. Attacker and victim on the same network, launch browser and try to surf on a single work (ex:wpad,isatap,...) should trigger a DNS query, then a LLMNR query and finally a NBNS query.

[jlee-r7]

Modules should not print backtraces. Please add an elog for that.

[jlee-r7]

This is insanely verbose. On a network with one other system using LLMNR, I'm getting 9 lines of output every couple of seconds.

[robin-francois]

I have changed the verbosity. Should be better when I will commit changes.

[todb-r7]

@robin-francois I assume you were rof on Freenode asking about multicast addressing in Rex Sockets. This works:

https://gist.github.com/211c9a7b381ffafe8d36

Please convert your ruby sockets to Rex sockets.

[robin-francois]

Hi @todb-r7, I would be glad to use Rex sockets but I am having issues to get the same functionalities than the Ruby ones. For example, I cannot find how to bind to a port with the Rex sockets. Can you help me with these issues ?

[todb]

The best tactic for figuring out how to work with Rex sockets is to look at other modules that kind of do what you want.

In this case, binding a UDP socket with Rex is accomplished by the TFTP server mixin, so take a look at lib/rex/proto/tftp/server.rb .

    #
    # Start the TFTP server
    #
    def start
        self.sock = Rex::Socket::Udp.create(
            'LocalHost' => listen_host,
            'LocalPort' => listen_port,
            'Context'   => context
            )

        self.thread = Rex::ThreadFactory.spawn("TFTPServerMonitor", false) {
            monitor_socket
        }
    end

[robin-francois]

Still working on this pull request to use the Rex sockets. I will commit changes soon.