HOME

TheInfoList



Click Here for Items Related To - SMBRelay
OR:
SMBRelay on:   [Wikipedia]   [Google]   [Amazon]

SMBRelay and SMBRelay2 are
computer program A computer program is a sequence or set of instructions in a programming language for a computer to execute. Computer programs are one component of software, which also includes documentation and other intangible components. A computer program ...
s that can be used to carry out SMB man-in-the-middle (mitm) attacks on
Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for ser ...
machines. They were written by
Sir Dystic ''Sir'' is a formal honorific address in English language, English for men, derived from Sire in the High Middle Ages. Both are derived from the old French "Sieur" (Lord), brought to England by the French-speaking Normans, and which now exist i ...
of
CULT OF THE DEAD COW Cult of the Dead Cow, also known as cDc or cDc Communications, is a computer hacker and DIY media organization founded in 1984 in Lubbock, Texas. The group maintains a weblog on its site, also titled "Cult of the Dead Cow". New media are rele ...
(cDc) and released March 21, 2001 at the @lantacon convention in
Atlanta Atlanta ( ) is the capital and most populous city of the U.S. state of Georgia. It is the seat of Fulton County, the most populous county in Georgia, but its territory falls in both Fulton and DeKalb counties. With a population of 498,715 ...
,
Georgia Georgia most commonly refers to: * Georgia (country), a country in the Caucasus region of Eurasia * Georgia (U.S. state), a state in the Southeast United States Georgia may also refer to: Places Historical states and entities * Related to the ...
. More than seven years after its release, Microsoft released a patch that fixed the hole exploited by SMBRelay. This fix only fixes the vulnerability when the SMB is reflected back to the client. If it is forwarded to another host, the vulnerability can be still exploited.


SMBRelay

SMBrelay receives a connection on UDP
port A port is a maritime facility comprising one or more wharves or loading areas, where ships load and discharge cargo and passengers. Although usually situated on a sea coast or estuary, ports can also be found far inland, such as H ...
139 and relays the packets between the client and server of the connecting Windows machine to the originating computer's port 139. It modifies these packets when necessary. After connecting and authenticating, the target's client is disconnected and SMBRelay binds to port 139 on a new
IP address An Internet Protocol address (IP address) is a numerical label such as that is connected to a computer network that uses the Internet Protocol for communication.. Updated by . An IP address serves two main functions: network interface ident ...
. This relay address can then be connected to directly using "net use \\192.1.1.1" and then used by all of the networking functions built into Windows. The program relays all of the SMB traffic, excluding negotiation and authentication. As long as the target host remains connected, the user can disconnect from and reconnect to this
virtual IP A virtual IP address (VIP or VIPA) is an IP address that does not correspond to a physical network interface. Uses for VIPs include network address translation (especially, one-to-many NAT), fault-tolerance, and mobility. Usage For one-to-man ...
. SMBRelay collects the
NTLM In a Windows network, NT (New Technology) LAN Manager (NTLM) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. NTLM is the successor to the authentication protocol in Microsoft L ...
password hashes and writes them to hashes.txt in a format usable by
L0phtCrack L0phtCrack is a password auditing and recovery application originally produced by Mudge from L0pht Heavy Industries. It is used to test password strength and sometimes to recover lost Microsoft Windows passwords, by using dictionary, brute-for ...
for cracking at a later time. As port 139 is a privileged port and requires administrator access for use, SMBRelay must run as an administrator access account. However, since port 139 is needed for
NetBIOS NetBIOS () is an acronym for Network Basic Input/Output System. It provides services related to the session layer of the OSI model allowing applications on separate computers to communicate over a local area network. As strictly an API, Ne ...
sessions, it is difficult to block. According to Sir Dystic, "The problem is that from a marketing standpoint, Microsoft wants their products to have as much
backward compatibility Backward compatibility (sometimes known as backwards compatibility) is a property of an operating system, product, or technology that allows for interoperability with an older legacy system, or with input designed for such a system, especiall ...
as possible; but by continuing to use protocols that have known issues, they continue to leave their customers at risk to exploitation... These are, yet again, known issues that have existed since day one of this protocol. This is not a bug but a fundamental design flaw. To assume that nobody has used this method to exploit people is silly; it took me less than two weeks to write SMBRelay."Greene, Thomas C.
Exploit devastates WinNT/2K security
" ''
The Register ''The Register'' is a British technology news website co-founded in 1994 by Mike Magee, John Lettice and Ross Alderson. The online newspaper's masthead sublogo is "''Biting the hand that feeds IT''." Their primary focus is information te ...
'' online edition, April 19, 2001. Retrieved August 20, 2005.


SMBRelay2

SMBRelay2 works at the NetBIOS level across any protocol to which NetBIOS is bound (such as NBF or NBT). It differs from SMBrelay in that it uses NetBIOS names rather than IP addresses. SMBRelay2 also supports man-in-the-middling to a third host. However, it only supports listening on one name at a time.


See also

*
Pass the hash In computer security, pass the hash is a hacking technique that allows an attacker to authenticate to a remote server or service by using the underlying NTLM or LanMan hash of a user's password, instead of requiring the associated plaintext passwo ...


References


External links


The SMB Man-In-the-Middle Attack
by Sir Dystic


How to disable LM authentication on Windows NT
- lists affected operating systems
Your Field Guide To Designing Security Into Networking Protocols

Extended Protection for Authentication
{{Cult of the Dead Cow Windows security software Computer security exploits Internet Protocol based network software Cult of the Dead Cow software