Spoofing a Netbios name to a windows client....

Posted on 2011-04-21
Medium Priority
Last Modified: 2012-05-11
I am in the midst of a data center move.  I have been asked by my customer to put together a proof of concept for an application - which uses UNC names to denote destinations for writing its files.

In effect, there is a client PC (lets say its a Windows 2003 server) who, through its application, writes files to \\destination\share

Now, I want to test this proof of concept without affecting the production destination.  So, I want to "spoof" the destination to a 3rd location thats nearby, lets say \\newdest\share.  However, I want to use the original server name {destination}.

I have over-written the HOSTS file on the client, and when I ping "destination" I see the IP address for "newdest".  Wonderful.

The issue comes when I try to connect to \\destination\share in Windows explorer - or if I try a "net use \\destination\ipc$" in the client command line.

In windows explorer, I get a message stating

"\\{destination\share} is not accessible.  You might not have permission to use this network resource.  Contact the administrator of this server to find out if you have access permissions.

You were not connected because a duplicate name exists on the network.  Go to System in Control Panel to change the computer name and try again".

Undaunted, I fire up my trusty mac.  I quickly add a hosts entry for "destination" - and when I use the Mac finder, I can instantly connect to "smb:\\destination\share" and I see the "newdest\share" files !  Wonderful.

So, I think it has something to do with WINS or Netbios.  So, back on my client PC, I change the IP address advanced configuration, remove all WINS addresses, disable "LMHOSTS lookup" and "Disable NetBIOS over TCP/IP" and reboot (hey, why not).  I still get the same issue.

So, I'm trying to map to "\\destination\share" but I really want it to go to "\\newdest\share".

What suggestions does the group have on this conundrum ?
Question by:altquark
  • 3

Assisted Solution

tualchris earned 600 total points
ID: 35445167
On a per-system basis, I've been able to spoof names resolved using both DNS and WINS.  DNS, as you've already noted, uses HOSTS.  WINS (a.k.a. Netbios) uses LMHOSTS.

If you want traffic sent to OLDSYSTEM to be directed to NEWSYSTEM and NEWSYSTEM's IP address is, you'd want something like this added to your LMHOSTS file: OLDSYSTEM      #PRE

When this is saved, from a command line, issue the following command:
nbtstat -R
(use the upper case R)

As you've said with your HOSTS file, you'd want something like this in place: oldsystem

When this is saved, from the command line, issue the following command:
ipconfig /flushdns

I've used this technique when testing a copy of our database during a database move from our web server.  This allowed me to attempt running the web applications and verify things were wroking okay before I contacted our network administrator to make the permanent switch.

Keep in mind that any system you want to spoof name resolution will need to have these modifications.

Hope this helps!

Author Comment

ID: 35445428
We tried this earlier.  We added that exact line to LMHOSTS, ensured that the "Use LMHOSTS file" was checked in WINS, flushed DNS and also NBSTAT-R, and it didn't do nothing....

Now - heres the kicker - NEWSYSTEM is on the same Domain (AD) as the client, but OLDSYSTEM is a on a trusted domain.

HOWEVER, when I also tried doing this with "FAKESYSTEM" ( a system name that doesn't exist at all on the network) - I'm getting the same error (duplicate name on the network) - which is WIERD ?!

Accepted Solution

scuthber earned 1400 total points
ID: 35446309
I take it this is an Active Directory scenario? To be able to connect to shares on a server using another server's name you need to add the name and service principal names to the new destination.

If your HOSTS entry resolves to the NEWDEST but you can't connect you will have to add the host Service Principal Name for DESTINATION to NEWDEST:


setspn is in the resource kit tools or adminpak.msi

Note, DESTINATION will have to be disconnected from the network when you do this or it won't allow its SPN to be moved to NEWDEST.

You may also have to add the DESTINATION server name to NEWDEST. You can do this by creating the following REG_MULTI_SZ value: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\OptionalNames
on NEWDEST. Add the DESTINATION name to this key and restart the server service. Again, DESTINATION needs to be off the network when you do this.

you may need to add BackConnectionHostnames in to newdest's registry, as per http://support.microsoft.com/kb/926642, or you may get "the target account is incorrect".

Author Comment

ID: 35823076
Closing manually.  Sorry it took a while.

Author Closing Comment

ID: 35823090
We decided to not spoof the IP - so it wasn't possible to accurately test the solutions offered.  I am closing this question and awarding points with the higher points to Scuthber since his was information we didn't know about.

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Windows Server 2003 introduced persistent Volume Shadow Copies and made 2003 a must-do upgrade.  Since then, it's been a must-implement feature for all servers doing any kind of file sharing.
This article is about my experience upgrading my consulting machine to Windows 10 Version 1709 (The Fall 2017 Creator Update)
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question