0

I want to send a corrupt netbios Session Service packet to my machine, My goal it to check whether my machine restarts or not upon receiving the corrupt netbios packet (this has happened before and I want to reproduce the same).

I am using scapy which is a python tool to establish a connection first to the machine at port 139 and then I am sending a NBTSession() packet to the machine.

In the wireshark traces I see that the session is established, but when I am trying to send a packet with NBTSession() layer then the wireshark traces shows its a NBSS continuation message.

from scapy.all import *

def nbt_func():
        nb=NBTSession(TYPE=0x81,RESERVED=10,LENGTH=2000)
        rnb=Raw(nb)
        s=socket.socket()
        s.connect(("10.62.147.30",139))
        ss=StreamSocket(s,Raw)
        s.sr1(rnb)

if __name__ == "__main__":
        nbt_func()

Any idea why this is happening, or is there any other way the issue can be reproduced?

I gave some random values in the NBTSession() fields as I thought that maybe giving wrong values means corrupting the packet.

Thanks for the help.

Gaara
  • 109
  • 3

1 Answers1

1

Corrupt packages are not exactly formatted on layer 5+ :) It could be even a corrupted IP header, so you cannot create a corrupted package using high-level libraries.

A good approach a can propose - is to connect to your server with netcat and send some garbage from /dev/urandom:

cat /dev/urandom | nc 10.62.147.30 139

DukeLion
  • 3,239
  • 1
  • 17
  • 19
  • Thanks Sir for the reply, I did what you asked, The traces in wireshark still shows the same message "**NBSS continuation message**" – Gaara May 21 '12 at 06:35
  • And all I want to send is a corrupt payload in the NETBios Session Service Layer, Isnt that possible ? `IP(dst='1.2.3.4')/fuzz(TCP(dport=139))/NBTSession(TYPE=0x81)/"called name"` like in the above case , in the payload section there is a __called name__ which does not exist, so the response should be "__Negative Session response__" from the server saying __Called name not present___ , which is not coming as a output. – Gaara May 21 '12 at 06:43