Download NBNSCRIPT.SH v1.2 (english version)

COOKIE THEFT BY NBNS NAME POISONING

[Preface]
If DNS does not respond to a request, and the domain name is less than 15 characters, Windows tries to resolve it locally using NBNS. NBNS is the name service used for windows network names such a printers o local servers.

[About NBNS Spoofing]
NBNS poisoning has been around for years now. Since 2005 FakeNetbiosNS [1] was published by Patrick Chambet a simple tool that allowed NBNS spoofing. Robert Wesley McGrew [3] created in 2007 a better spoofer called nbnspoof.py and he explains each step he took to create it [2].

Using a modified nbnspoof.py and some iframes pointing to non existing subdomains, we can obtain cookies of any domain with little user interaction (i.e. typing google.cmo instead of .com).

In our script (nbnspoof.sh) we integrate a modified version of nbnspoof.py and we use some resources that backtrack3 already has installed.

[NBNScript.sh] - Download NBNSCRIPT.SH v1.2 (english version)
Redirects nonexistent (sub)domains to a local page that logs cookies and has iframes with non existing subdomains (but real domains) pointed to itself.

What this means is: If you run this script in backtrack, with default settings, any domain that is not resolved will be directed to a local server that will obtain cookies of: google.com live.com hi5.com and facebook.com (sheeeesh...) and show you their cookies on your screen.

It has a nifty wizard for ease of use, you can watch a video of nbnscript in action in the top of this page.

[Some interesting stuff]
Even when using OpenDNS in Firefox you can redirect by using an empty subdomain like http://.hi5.com
On I.E. only one cookie can be retrieved at a time, and using a request like http://0.google.com
No-script doesn’t allow you to obtain all the cookies at once, but you can use the I.E. procedure.
You can also redirect to external IPs in case local http servers are blocked.

Any comments: hkm @ hakim . Ws [4][5]

@ [sdc] - [nitrous] - [hkm] - [crypkey] @
##### hkm ##### created nbnscript.sh for using it in his backtrack live usb.
##### nitr0us ##### modified nbnspoof.py for targeted attacks.
##### Robert Wesley McGrew ##### created nbnspoof.py [2]
Greetzors: alt3kx, darko, psymera, hit0, napa, nahual, gwolf, nediam, roa, kuza55 and sla.ckers.org

[1] http://www.networksecurityarchive.org/html/SecTools/2005-10/msg00000.html
[2] http://www.mcgrewsecurity.com/tools/nbnspoof/
[3] http://www.mcgrewsecurity.com/
[4] http://www.hakim.ws
[5] https://www.underground.org.mx