[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 535
  • Last Modified:

How is someone spoofing the netbios name of a computer on my network?

We had a user using netsend to send obscene messages to other users on our network; howerver, the message was tagged as coming from a computer that doesn't exist. We then used look@lan to scan the network for that netbios name. We found it attached to a computer that had a manchine name that did not match.  After rebooting the computer it went back to the machine name and the netbios name matching. This is in a windows 2003 domain network with wins running on one of the domain controllers. Additionally the comptuer was frozen with faronics' deepfreeze. We found out which computer it came from but I really want to know how they did it.
0
briansikes
Asked:
briansikes
  • 2
  • 2
1 Solution
 
stevenlewisCommented:
0
 
briansikesAuthor Commented:
I already knew about programs to spoof the content of the netsend message, I'm actually interested in how it got changed so that look@lan and any netbios queries showed the fake name attached to that computer. It tried the Darron's Messenger and succuessfully sent a message with a spoofed name but it still didn't change my netbios name in look@lan.
0
 
falvaro3Commented:
You could easily use the windows API to do something similar, even from a Word macro (using VBA), for example (got this from a windows security site, so don't shoot the "messenger" - pun intended):

Private Declare Function NetMessageBufferSend Lib "netapi32" (ByVal servername As String, ByVal msgname As String, _
  ByVal fromname As String, ByVal msgbuf As String, ByRef msgbuflen As Long) As Long

Private Sub send()
   server = "your computer name" 'isnt actually displayed
   victim = "person u send it to" 'could use * to send to all
   msg = "hello"
   fake = "the fake name u want displayed"
   
   'sends the message
   success = NetMessageBufferSend(StrConv(server, vbUnicode), StrConv(victim, vbUnicode), StrConv(fake, vbUnicode), _
                 StrConv(msg, vbUnicode), ByVal Len(StrConv(msg, vbUnicode)))
End Sub

HTH
0
 
briansikesAuthor Commented:
Still doesn't answer the question of how the actual netbios name attached to the computer was changed, only expains how to spoof a message.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now