So I recently got into hacking and security when I decided to join the local defcon group (where I've made some of the coolest friends ever). And by "hacking", I mean fucking around with things and seeing what happens (nothing malicious or particularly skilled on my end). As I was sniffing packets in the tampa airport, I noticed a protocol I had never seen before called nbns.
According to the internet, it is very silly. And it is also perfectly exploitable for babby's first hack.
When I got back from the Tampa airport, I took a look at my network traffic and saw the same booty dookey nbns queries being sent from my windows machine. Score. I didn't even have to setup a virtual network: I'm just so dogshit at machine hygiene, that my skill issue became a pretty epic win.
I'm not sure of how familiar you, dear reader, are with DNS, but it stands for Domain Name Service. At a high level, its a phonebook for IP addresses (or like the contacts app on a phone). A domain name server is a server (in most instances, something like google or cloudflare, or a personal DNS server) that keeps track of hostnames and IP addresses. DNS packets utilize UDP or TCP (rarely), the payload of which contains the DNS payload structure.
Sauce
I'm not going to go over what each bit means because that is not the focus of this post, and I may go over it in a different post. This gets packed into the body of the UDP payload, giving a hierarchical looking yeeyee ass haircut looking ass packet. Here's an example of a query using scapy.
So when a machine search for a website, the machine asks the name server "who is this fella?", to which the server responds with a bunch of records containing ip address information. From these records, the querying machine then knows where to route the IP packets.
Sauce
DNS is cool, I guess (also nicely exploitable, maybe at a later date). But that's NOT the point of this post. We want to take a look at DNS's younger, sillier, crayon consuming cousin.
NBNS stands for NetBIOS Name Service, which, as the name implies, functions similarly to DNS. Most windows machines will default to this if they either a. can't get a response from the DNS server or b. in the case of network printers and the like.
TODO i'm still cooking man. I'll put a good explanation here soon.
For this project, I've been using scapy and python, mostly because I wanted to get down and dirty with the details of nbns and other protocols. I'm extremely new to all of this, so any low level exposure to network traffic will do me wonders. There do exist packages and software out there that will do exactly what I want to do, which is target / pentest my windows machine, and they will do it much better. But my goal is to have fun :3
Because I don't know what I'm doing, I decided to come out guns a blazin', and reply to the name query. When crafting my packet, I set the op code for query, cleared the Rcode (to tell my windows machine that the name is a-ok), and set the counts and resources to the appropriate values. Also, in order for the transaction to be valid, I need to respond to query with the same transaction ID. So I wrote a quick script to sniff packets until I receive a packet with the right NBNS question name with the correct designation (workstation). I then read the transaction ID, slap that bad boy in my packet, and yeet him off into the ether.
My first attempt "worked", but I couldn't really do anything (easily) with it. I had forgotten that my ip had changed since my last attempt, so I was telling my windows machine to send traffic to another IP address for a device that doesn't exist, hence the ARP spamming. I could have theoretically spoofed and ARP request back, or I could refresh my window machines's wifi and try again with my linux laptop's IP address.
So now I'm getting traffic from my windows machine, and I'm speficially getting a whole bunch of SNMP requests. My linux laptop is unhappy with this, as it's trying to send traffic to a closed port (skill issue). Now, I don't actually know anything about SNMP, or really anything about hacking and networking (also a skill issue), and I work stupid long hours and my time is at a premium. But even if this is the end of my endeavors (for now), it's still worth noting that these SNMP set requests are my username IN PLAINTEXT for ANYONE to see.
Now,