Download NBNSCRIPT.SH v1.2 (english version)


If DNS does not respond to a request, and the domain name is less than 15 characters, Windows tries to resolve it locally using NBNS. NBNS is the name service used for windows network names such a printers o local servers.

[About NBNS Spoofing]
NBNS poisoning has been around for years now. Since 2005 FakeNetbiosNS [1] was published by Patrick Chambet a simple tool that allowed NBNS spoofing. Robert Wesley McGrew [3] created in 2007 a better spoofer called and he explains each step he took to create it [2].

Using a modified and some iframes pointing to non existing subdomains, we can obtain cookies of any domain with little user interaction (i.e. typing google.cmo instead of .com).

In our script ( we integrate a modified version of and we use some resources that backtrack3 already has installed.

[] - Download NBNSCRIPT.SH v1.2 (english version)
Redirects nonexistent (sub)domains to a local page that logs cookies and has iframes with non existing subdomains (but real domains) pointed to itself.

What this means is: If you run this script in backtrack, with default settings, any domain that is not resolved will be directed to a local server that will obtain cookies of: and (sheeeesh...) and show you their cookies on your screen.

It has a nifty wizard for ease of use, you can watch a video of nbnscript in action in the top of this page.

[Some interesting stuff]
Even when using OpenDNS in Firefox you can redirect by using an empty subdomain like
On I.E. only one cookie can be retrieved at a time, and using a request like
No-script doesn’t allow you to obtain all the cookies at once, but you can use the I.E. procedure.
You can also redirect to external IPs in case local http servers are blocked.

Any comments: hkm @ hakim . Ws [4][5]

@ [sdc] - [nitrous] - [hkm] - [crypkey] @
##### hkm ##### created for using it in his backtrack live usb.
##### nitr0us ##### modified for targeted attacks.
##### Robert Wesley McGrew ##### created [2]
Greetzors: alt3kx, darko, psymera, hit0, napa, nahual, gwolf, nediam, roa, kuza55 and