Windows ‘BadTunnel’ Attack Hijacks Network Traffic

A researcher in China has discovered a design flaw in Microsoft Windows that affects all versions of the operating system using NetBIOS spoofing —including Windows 10— and lets an attacker hijack your organization’s network traffic with a simple social engineering attack. It can be exploited silently with a near perfect success rate.

The scenario is very simple, the bad guy just uses social engineering to trick  an employee into visiting a malicious web page via IE or Edge or to open a specifically crafted Office document. The website used by the attackers will appear as either a file server or a local print server, but in the background it will hijack your network traffic including things like Windows Updates.

“This vulnerability has a massive security impact – probably the widest impact in the history of Windows,” Yu said in an interview with DarkReading conducted via email. “It not only can be exploited through many different channels, but also exists in all Windows versions released during the past 20 years.”

Microsoft this week issued a patch for the so-called “BadTunnel” bug found by Yang Yu, director of Xuanwu Lab of Tencent in Beijing.

The expert classified the BadTunnel as a technique for NetBIOS-spoofing across networks, this means that the attacker can leverage it to get access to network traffic without being on the victim’s network. The technique is very insidious and difficult to detect because it doesn’t involve malicious code and allows to bypass firewall and Network Address Translation (NAT) devices.

BadTunnel exploits a series of security weaknesses, including how Windows resolves network names and accepts responses; how IE and Edge browsers support webpages with embedded content; how Windows handles network paths via an IP address; how NetBIOS Name Service NB and NBSTAT queries handle transactions; and how Windows handles queries on the same UDP port (137) — all of which when lumped together make the network vulnerable to a BadTunnel attack. DarkReading has the technical details on the attack scenario, it’s a recommended read.

What To Do About It 

  1. As Redmond has patched this, apply the patch ASAP after you have tested it.
  2. Disable NetBIOS over TCP/IP
  3. Step all users through effective security awareness training that includes simulated phishing attacks



  1. I’m impressed, We have to admit. Rarely do I encounter a blog that’s
    both educative and engaging, and undoubtedly, you’ve hit the nail on the head.
    The thing is something which too few everyone is speaking intelligently
    about. I am delighted I stumbled on this during my seek out something regarding this.

  2. Wonderful blog! I discovered it while searching on Yahoo News.
    Do you have any suggestions concerning how to get placed in Yahoo News?

    I’ve been trying for a time having said that i never often arrive
    there! Thanks a lot

  3. Everyone loves what you are generally up too. This particular clever work and coverage!
    Keep up to date the amazing work dude I’ve included you to my blogroll.

  4. Maybe you have considered writing an e-book or guest authoring on other websites? We have a blog centered about the same topics you discuss and would like to have you share some stories/information. I understand my visitors would value work. If you’re even remotely interested, you can shoot me an e mail.

  5. My brother suggested I might like this website.
    He was entirely right. This post truly made my day. You can not
    imagine just how much time I had spent for this information! Thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *