Windows uses multiple mechanisms to resolve local hostnames : local hosts file, DNS, netbios name service, LLMNR.
When a host does not exist in the local hosts file or DNS server, windows then broadcast/multicast the request using UDP protocol.
This means we can (1) capture these requests and (2) spoof a response over UDP.
xDNS Sniffer is demo, written in delphi7, using windows raw sockets (receiving and sending) to capture and spoof NBT-NS and LLMNR to abuse local name resolution.
Sending spoofed packets is possible because these protocols are using UDP.
This code is variant/built upon previous demo discussed here.
Code can be found on Github.
Binary can be downloaded here.
Command line is : snif localip name_to_spoof.
Examples:
snif.exe 192.168.1.144 WPAD (will abuse WPAD requests and send back local ip)
snif.exe 192.168.1.144 * (will abuse all local requests and send back local ip)