In a recent capture, I noticed that all NetBIOS machines on the network behaved as expected with NBNS registration broadcast packets in an environment without a WINS server (i.e. they all periodically asserted their name and workgroup). The process was identical except for one IP which frequently sent a NBNS registration with a name and workgroup that mimicked one of the other machines on the network, cycling through all of the other machine names in an irregular fashion. So is this machine a NetBIOSoTCPIP attack vector, or am I just making things up? asked 20 Jan '16, 10:05 msumbufu |
To me it sounds like an infected machine, yes, at least if the capture confirms that these packets systematically come from the same IP and MAC address.
Another explanation could be some weird routing loop involving a NAT, causing the original packets from their legal sources to be forwarded back to the same LAN from which they came with NATed source IP.
So what is the intended role of the machine behaving this way? Is it meant to be an ordinary workstation or it should do something more sophisticated intentionally?