How is someone spoofing the netbios name of a computer on my network?

Posted on 2004-11-16
Last Modified: 2012-06-27
We had a user using netsend to send obscene messages to other users on our network; howerver, the message was tagged as coming from a computer that doesn't exist. We then used look@lan to scan the network for that netbios name. We found it attached to a computer that had a manchine name that did not match.  After rebooting the computer it went back to the machine name and the netbios name matching. This is in a windows 2003 domain network with wins running on one of the domain controllers. Additionally the comptuer was frozen with faronics' deepfreeze. We found out which computer it came from but I really want to know how they did it.
Question by:briansikes
    LVL 41

    Expert Comment


    Author Comment

    I already knew about programs to spoof the content of the netsend message, I'm actually interested in how it got changed so that look@lan and any netbios queries showed the fake name attached to that computer. It tried the Darron's Messenger and succuessfully sent a message with a spoofed name but it still didn't change my netbios name in look@lan.
    LVL 4

    Expert Comment

    You could easily use the windows API to do something similar, even from a Word macro (using VBA), for example (got this from a windows security site, so don't shoot the "messenger" - pun intended):

    Private Declare Function NetMessageBufferSend Lib "netapi32" (ByVal servername As String, ByVal msgname As String, _
      ByVal fromname As String, ByVal msgbuf As String, ByRef msgbuflen As Long) As Long

    Private Sub send()
       server = "your computer name" 'isnt actually displayed
       victim = "person u send it to" 'could use * to send to all
       msg = "hello"
       fake = "the fake name u want displayed"
       'sends the message
       success = NetMessageBufferSend(StrConv(server, vbUnicode), StrConv(victim, vbUnicode), StrConv(fake, vbUnicode), _
                     StrConv(msg, vbUnicode), ByVal Len(StrConv(msg, vbUnicode)))
    End Sub


    Author Comment

    Still doesn't answer the question of how the actual netbios name attached to the computer was changed, only expains how to spoof a message.
    LVL 41

    Accepted Solution


    Featured Post

    Threat Intelligence Starter Resources

    Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

    Join & Write a Comment

    Nslookup is a command line driven utility supplied as part of most Windows operating systems that can reveal information related to domain names and the Internet Protocol (IP) addresses associated with them. In simple terms, it is a tool that can …
    Have you ever set up your wireless router at home or in the office to find that you little pop-up bubble in the bottom right-hand corner of Windows read "IP Conflict - One of more computers on the network have been assigned the following IP address"…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    731 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now