Adding LLMNR spoofing auxiliary module #524

wants to merge 2 commits into


None yet
4 participants

robin-francois commented Jun 25, 2012

This auxiliary module, greatly inspired by the NBNS spoofing, is spoofing LLMNR (Link Local Multicast Name Resolution - which is the successor of NetBIOS since Windows Vista) by responding to multicast queries with unicast spoofed responses.


robin-francois commented Jun 25, 2012

Easy to test module. Attacker and victim on the same network, launch browser and try to surf on a single work (ex:wpad,isatap,...) should trigger a DNS query, then a LLMNR query and finally a NBNS query.

@jlee-r7 jlee-r7 commented on an outdated diff Jun 25, 2012

+ p.udp_sport = 5355 # LLMNR UDP port
+ p.udp_dport = src_port # Port used by sender
+ p.payload = response
+ p.recalc
+ capture_sendto(p, rhost,true)
+ vprint_good("Reply for #{llmnr_decodedname} sent to #{rhost} with spoofed IP #{datastore['SPOOFIP']}...")
+ close_pcap
+ else
+ vprint_status("Packet received from #{rhost} with name #{llmnr_decodedname} did not match regex")
+ end
+ end
+ rescue ::Exception => e
+ print_error("llmnr: #{e.class} #{e} #{e.backtrace}")

jlee-r7 Jun 25, 2012


Modules should not print backtraces. Please add an elog for that.


jlee-r7 commented Jun 25, 2012

This is insanely verbose. On a network with one other system using LLMNR, I'm getting 9 lines of output every couple of seconds.


robin-francois commented Jun 26, 2012

I have changed the verbosity. Should be better when I will commit changes.


todb-r7 commented Jun 29, 2012

@robin-francois I assume you were rof on Freenode asking about multicast addressing in Rex Sockets. This works:

Please convert your ruby sockets to Rex sockets.


robin-francois commented Jul 2, 2012

Hi @todb-r7, I would be glad to use Rex sockets but I am having issues to get the same functionalities than the Ruby ones. For example, I cannot find how to bind to a port with the Rex sockets. Can you help me with these issues ?


todb commented Jul 3, 2012

The best tactic for figuring out how to work with Rex sockets is to look at other modules that kind of do what you want.

In this case, binding a UDP socket with Rex is accomplished by the TFTP server mixin, so take a look at lib/rex/proto/tftp/server.rb .

    # Start the TFTP server
    def start
        self.sock = Rex::Socket::Udp.create(
            'LocalHost' => listen_host,
            'LocalPort' => listen_port,
            'Context'   => context

        self.thread = Rex::ThreadFactory.spawn("TFTPServerMonitor", false) {

robin-francois commented Jul 30, 2012

Still working on this pull request to use the Rex sockets. I will commit changes soon.

todb-r7 closed this Aug 20, 2012

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment