{"id":1988,"date":"2019-01-04T22:58:58","date_gmt":"2019-01-04T21:58:58","guid":{"rendered":"http:\/\/labalec.fr\/erwan\/?p=1988"},"modified":"2019-01-04T22:59:09","modified_gmt":"2019-01-04T21:59:09","slug":"capture-and-spoof-nbt-ns-and-llmnr-packets","status":"publish","type":"post","link":"https:\/\/labalec.fr\/erwan\/?p=1988","title":{"rendered":"Capture and spoof NBT NS and LLMNR packets"},"content":{"rendered":"<p>Windows uses multiple mechanisms to resolve local hostnames : local hosts file, DNS, netbios name service, LLMNR.<br \/>\nWhen a host does not exist in the local hosts file or DNS server, windows then broadcast\/multicast the request using UDP protocol.<br \/>\nThis means we can (1) capture these requests and (2) spoof a response over UDP.<\/p>\n<p>xDNS Sniffer is demo, written in delphi7, using windows raw sockets (receiving and sending) to capture and spoof NBT-NS and LLMNR to abuse local name resolution.<br \/>\nSending spoofed packets is possible because these protocols are using UDP.<br \/>\nThis code is variant\/built upon previous demo discussed <a href=\"https:\/\/labalec.fr\/erwan\/?p=1980\" rel=\"noopener\" target=\"_blank\">here<\/a>.<\/p>\n<p>Code can be found on <a href=\"https:\/\/github.com\/erwan2212\/xDNS_SNIFFER-DELPHI\" rel=\"noopener\" target=\"_blank\">Github<\/a>.<\/p>\n<p>Binary can be downloaded <a href=\"https:\/\/erwan.labalec.fr\/other\/xDNS_snif.zip\" rel=\"noopener\" target=\"_blank\">here<\/a>.<\/p>\n<p>Command line is : snif localip name_to_spoof.<br \/>\nExamples:<br \/>\nsnif.exe 192.168.1.144 WPAD (will abuse WPAD requests and send back local ip)<br \/>\nsnif.exe 192.168.1.144 * (will abuse all local requests and send back local ip)<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Windows uses multiple mechanisms to resolve local hostnames : local hosts file, DNS, netbios name service, LLMNR. When a host does not exist in the local hosts file or DNS server, windows then broadcast\/multicast the request using UDP protocol. This means we can (1) capture these requests and (2) spoof a response over UDP. xDNS <a href='https:\/\/labalec.fr\/erwan\/?p=1988' class='excerpt-more'>[&#8230;]<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-1988","post","type-post","status-publish","format-standard","hentry","category-network","category-5-id","post-seq-1","post-parity-odd","meta-position-corners","fix"],"_links":{"self":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/1988","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1988"}],"version-history":[{"count":1,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/1988\/revisions"}],"predecessor-version":[{"id":1989,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=\/wp\/v2\/posts\/1988\/revisions\/1989"}],"wp:attachment":[{"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1988"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1988"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/labalec.fr\/erwan\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1988"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}