Thread-topic: [NT] Abusing TCP/IP Name Resolution in Windows To Carry Out Phishing Attacks
é ÞÅÇÏ ÔÏÌØËÏ ÌÀÄÉ ÎÅ ÐÒÉÄÕÍÁÀÔ ;-)
> -----Original Message-----
> From: SecuriTeam [mailto:support@xxxxxxxxxxxxxx]
> Sent: Thursday, March 15, 2007 2:15 PM
> To: html-list@xxxxxxxxxxxxxx
> Subject: [NT] Abusing TCP/IP Name Resolution in Windows To
> Carry Out Phishing Attacks
>
>
> Abusing TCP/IP Name Resolution in Windows To Carry Out
> Phishing Attacks
>
>
>
> A vulnerability in the way Window tries to resolves FQDN
> allows attackers present on the local network to redirect
> them to a third-party server without needing to take over the
> DNS server.
>
>
> Name resolution takes place in the following order on *nix boxes:
> * Local name
> * Look up into /etc/hosts file
> * Query the DNS server.
>
> In Windows the name resolution follows:
> * Local name
> * Hosts file
> * DNS
> * WINS
> * NetBIOS b-node broadcasts
> * lmhosts file
>
> The NetBIOS b-node broadcasts can be abused to carry out
> phishing attacks. Thus, if someone types "gmail.ocm" instead
> of "gmail.com" , than DNS and the WINS query will fail for
> this hostname and the victim's O.S will send the broadcast
> request on UDP 137 looking for the name gmail.ocm. This can
> then be responded by the attacker and a phishing attack can
> be done against him.
>
> Victim -> DNS -> WINS -> (Local subnet + Attacker)
> gmail.ocm -> failed -> failed -> broadcast request
> <-------------------------------- Attacker's response to
> victim for name gmail.ocm
>
> Tool Used:
> FakeNetbiosNS (NetBIOS Name Service) availabel from URL:
>
>
> Demonstration:
> Case-1 Normal Scenario
> Victim -> Local Subnet + Attacker
> Ping gmail.ocm ----> Broadcast request for gmail.ocm [nbns query]
> Time out (no response for NBNS query)
>
> Case-2 Attacker Emulating hostnames
> Victim fakenbns -> Local Subnet + Attacker running
> Ping gmail.ocm -------------> Broadcast request for
> gmail.ocm[nbns query]
> <------------------------- Attacker responds for
> gmail.ocm[nbns response]
> Ping attacker's IP address as in NBNS response) <--> ping response
>
> Attacker runs fakenetbios-ns script with these parameters:
> ./fakenbns -f ../FakeNetbiosDGM.conf.ini
>
> Entries in FakeNetbiosDGM.conf.ini
> MYDOMAIN HOST01 192.168.1.101 1 Windows XP Workstation
> MYDOMAIN gmail.ocm 192.168.1.101 1 Windows XP Workstation
> MYDOMAIN hotmail.ocm 192.168.1.101 1 Windows XP Workstation
>
>
> Additional Information:
> The information has been provided by Sumit Siddharth
> <mailto:sid@xxxxxxxxxxxxxxx> .
> The original article can be found at:
>
> microsoft-word-abusing-nbns.pdf
>
>
> ==============================================================
> ==================
>
>
>
>
>
> This bulletin is sent to members of the SecuriTeam mailing list.
> To unsubscribe from the list, send mail with an empty subject
> line and body to: html-list-unsubscribe@xxxxxxxxxxxxxx
> In order to subscribe to the mailing list and receive
> advisories in HTML format, simply forward this email to:
> html-list-subscribe@xxxxxxxxxxxxxx
>
>
>
> ==============================================================
> ==================
> ==============================================================
> ==================
>
> DISCLAIMER:
> The information in this bulletin is provided "AS IS" without
> warranty of any kind.
> In no event shall we be liable for any damages whatsoever
> including direct, indirect, incidental, consequential, loss
> of business profits or special damages.
>
>
>
>
>
>
