Adding LLMNR spoofing auxiliary module #524

Closed
wants to merge 2 commits into
from

Conversation

Projects
None yet
4 participants
Contributor

robin-francois commented Jun 25, 2012

This auxiliary module, greatly inspired by the NBNS spoofing, is spoofing LLMNR (Link Local Multicast Name Resolution - which is the successor of NetBIOS since Windows Vista) by responding to multicast queries with unicast spoofed responses.

Contributor

robin-francois commented Jun 25, 2012

Easy to test module. Attacker and victim on the same network, launch browser and try to surf on a single work (ex:wpad,isatap,...) should trigger a DNS query, then a LLMNR query and finally a NBNS query.

@jlee-r7 jlee-r7 commented on an outdated diff Jun 25, 2012

modules/auxiliary/spoof/llmnr/llmnr_response.rb
+ p.udp_sport = 5355 # LLMNR UDP port
+ p.udp_dport = src_port # Port used by sender
+ p.payload = response
+ p.recalc
+
+ capture_sendto(p, rhost,true)
+ vprint_good("Reply for #{llmnr_decodedname} sent to #{rhost} with spoofed IP #{datastore['SPOOFIP']}...")
+ close_pcap
+
+ else
+ vprint_status("Packet received from #{rhost} with name #{llmnr_decodedname} did not match regex")
+ end
+ end
+
+ rescue ::Exception => e
+ print_error("llmnr: #{e.class} #{e} #{e.backtrace}")
@jlee-r7

jlee-r7 Jun 25, 2012

Contributor

Modules should not print backtraces. Please add an elog for that.

Contributor

jlee-r7 commented Jun 25, 2012

This is insanely verbose. On a network with one other system using LLMNR, I'm getting 9 lines of output every couple of seconds.

Contributor

robin-francois commented Jun 26, 2012

I have changed the verbosity. Should be better when I will commit changes.

Contributor

todb-r7 commented Jun 29, 2012

@robin-francois I assume you were rof on Freenode asking about multicast addressing in Rex Sockets. This works:

https://gist.github.com/211c9a7b381ffafe8d36

Please convert your ruby sockets to Rex sockets.

Contributor

robin-francois commented Jul 2, 2012

Hi @todb-r7, I would be glad to use Rex sockets but I am having issues to get the same functionalities than the Ruby ones. For example, I cannot find how to bind to a port with the Rex sockets. Can you help me with these issues ?

Contributor

todb commented Jul 3, 2012

The best tactic for figuring out how to work with Rex sockets is to look at other modules that kind of do what you want.

In this case, binding a UDP socket with Rex is accomplished by the TFTP server mixin, so take a look at lib/rex/proto/tftp/server.rb .

    #
    # Start the TFTP server
    #
    def start
        self.sock = Rex::Socket::Udp.create(
            'LocalHost' => listen_host,
            'LocalPort' => listen_port,
            'Context'   => context
            )

        self.thread = Rex::ThreadFactory.spawn("TFTPServerMonitor", false) {
            monitor_socket
        }
    end
Contributor

robin-francois commented Jul 30, 2012

Still working on this pull request to use the Rex sockets. I will commit changes soon.

todb-r7 closed this Aug 20, 2012

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment