Wireshark-users: Re: [Wireshark-users] WindowsXP Broadcast question

From: Stuart Kendrick <skendric@xxxxxxxxx>
Date: Sun, 07 Feb 2010 07:11:00 -0800

No, I haven't. Windows boxes broadcast NBNS look-ups and announcements for a range of reasons, and chatter in this fashion with a loquacity I find astonishing. But I haven't seen a single station broadcast with that frequency (every few seconds) nor look-up the NetBIOS name 'CN.KING.CD'.

If I had to guess, I would make the same guess you are making. Sounds like you have a bunch of boxes infected with some flavor of malware, (though I don't know why that malware is performing CN.KING.CD look-ups every few seconds, nor why it is using NBNS rather than DNS).

Brain-storming here: you could gather a list of the infected IP addresses using Wireshark, then perform NBNS look-ups on those addresses:

C:\temp>nbtstat -A 10.11.88.152

Hutch:
Node IpAddress: [10.11.88.152] Scope Id: []

           NetBIOS Remote Machine Name Table

       Name               Type         Status
    ---------------------------------------------
    SALLY          <00>  UNIQUE      Registered
    FHCRC          <00>  GROUP       Registered
    SALLY          <20>  UNIQUE      Registered
    FHCRC          <1E>  GROUP       Registered

    MAC Address = 00-1A-A0-AF-A5-A9


C:\temp>

That gets you the NetBIOS name ('Sally') of the infected machine. With a little local knowledge, perhaps you can track a NetBIOS name down to a physical location.

hth,

--sk

Hi, I'm new to the list and thought I'd give this question a try.


Has anyone seen a NBNS Broadcast where all the nodes on a link/ subnet are
sending NBNS broadcasts with the following listed in Wireshark's
"Info" column: "Name query NB CN.KING.CD<00>"