SMBRelay
Encyclopedia
SMBRelay and SMBRelay2 are computer program
s that can be used to carry out SMB
man-in-the-middle (mitm) attacks
on Windows
machines. They were written by Sir Dystic
of CULT OF THE DEAD COW
(cDc) and released March 21, 2001 at the @lantacon convention in Atlanta
, Georgia
. More than seven years after its release, Microsoft released a patch that fixed the hole exploited by SMBRelay.
port
139 and relays the packets between the client and server of the connecting Windows machine to the originating computer's port 139. It modifies these packets when necessary.
After connecting and authenticating, the target's client is disconnected and SMBRelay binds to port 139 on a new IP address
. This relay address can then be connected to directly using "net use \\192.1.1.1" and then used by all of the networking functions built into Windows. The program relays all of the SMB traffic, excluding negotiation and authentication. As long as the target host remains connected, the user can disconnect from and reconnect to this virtual IP.
SMBRelay collects the NTLM
password hash
es and writes them to hashes.txt in a format usable by L0phtCrack
for cracking at a later time.
As port 139 is a privileged port and requires administrator
access for use, SMBRelay must run as an administrator access account. However, since port 139 is needed for NetBIOS
sessions, it is difficult to block.
According to Sir Dystic, "The problem is that from a marketing standpoint, Microsoft wants their products to have as much backward compatibility
as possible; but by continuing to use protocols that have known issues, they continue to leave their customers at risk to exploitation... These are, yet again, known issues that have existed since day one of this protocol. This is not a bug but a fundamental design flaw. To assume that nobody has used this method to exploit people is silly; it took me less than two weeks to write SMBRelay."
SMBRelay2 also supports man-in-the-middling to a third host. However, it only supports listening on one name at a time.
Computer program
A computer program is a sequence of instructions written to perform a specified task with a computer. A computer requires programs to function, typically executing the program's instructions in a central processor. The program has an executable form that the computer can use directly to execute...
s that can be used to carry out SMB
Server Message Block
In computer networking, Server Message Block , also known as Common Internet File System operates as an application-layer network protocol mainly used to provide shared access to files, printers, serial ports, and miscellaneous communications between nodes on a network. It also provides an...
man-in-the-middle (mitm) attacks
Man-in-the-middle attack
In cryptography, the man-in-the-middle attack , bucket-brigade attack, or sometimes Janus attack, is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other...
on Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
machines. They were written by Sir Dystic
Sir Dystic
Josh Buchbinder,better known as Sir Dystic, has been a member of CULT OF THE DEAD COW since May 1997,and is the author of Back Orifice.He has also written several other hacker tools, including SMBRelay, NetE, and NBName....
of CULT OF THE DEAD COW
Cult of the Dead Cow
Cult of the Dead Cow, also known as cDc or cDc Communications, is a computer hacker and DIY media organization founded in 1984 in Lubbock, Texas. The group maintains a weblog on its site, also titled "Cult of the Dead Cow"...
(cDc) and released March 21, 2001 at the @lantacon convention in Atlanta
Atlanta, Georgia
Atlanta is the capital and most populous city in the U.S. state of Georgia. According to the 2010 census, Atlanta's population is 420,003. Atlanta is the cultural and economic center of the Atlanta metropolitan area, which is home to 5,268,860 people and is the ninth largest metropolitan area in...
, Georgia
Georgia (U.S. state)
Georgia is a state located in the southeastern United States. It was established in 1732, the last of the original Thirteen Colonies. The state is named after King George II of Great Britain. Georgia was the fourth state to ratify the United States Constitution, on January 2, 1788...
. More than seven years after its release, Microsoft released a patch that fixed the hole exploited by SMBRelay.
SMBRelay
SMBrelay receives a connection on UDPUser Datagram Protocol
The User Datagram Protocol is one of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer applications can send messages, in this case referred to as datagrams, to other hosts on an Internet Protocol network without requiring...
port
TCP and UDP port
In computer networking, a port is an application-specific or process-specific software construct serving as a communications endpoint in a computer's host operating system. A port is associated with an IP address of the host, as well as the type of protocol used for communication...
139 and relays the packets between the client and server of the connecting Windows machine to the originating computer's port 139. It modifies these packets when necessary.
After connecting and authenticating, the target's client is disconnected and SMBRelay binds to port 139 on a new IP address
IP address
An Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
. This relay address can then be connected to directly using "net use \\192.1.1.1" and then used by all of the networking functions built into Windows. The program relays all of the SMB traffic, excluding negotiation and authentication. As long as the target host remains connected, the user can disconnect from and reconnect to this virtual IP.
SMBRelay collects the NTLM
NTLM
In a Windows network, NTLM is a suite of Microsoft security protocols that provides authentication, integrity, and confidentiality to users....
password hash
Cryptographic hash function
A cryptographic hash function is a deterministic procedure that takes an arbitrary block of data and returns a fixed-size bit string, the hash value, such that an accidental or intentional change to the data will change the hash value...
es and writes them to hashes.txt in a format usable by L0phtCrack
L0phtCrack
L0phtCrack is a password auditing and recovery application originally produced by Mudge from L0pht Heavy Industries. It is used to test password strength and sometimes to recover lost Microsoft Windows passwords, by using dictionary, brute-force, hybrid attacks, and rainbow tables...
for cracking at a later time.
As port 139 is a privileged port and requires administrator
System administrator
A system administrator, IT systems administrator, systems administrator, or sysadmin is a person employed to maintain and operate a computer system and/or network...
access for use, SMBRelay must run as an administrator access account. However, since port 139 is needed for NetBIOS
NetBIOS
NetBIOS is an acronym for Network Basic Input/Output System. It provides services related to the session layer of the OSI model allowing applications on separate computers to communicate over a local area network. As strictly an API, NetBIOS is not a networking protocol...
sessions, it is difficult to block.
According to Sir Dystic, "The problem is that from a marketing standpoint, Microsoft wants their products to have as much backward compatibility
Backward compatibility
In the context of telecommunications and computing, a device or technology is said to be backward or downward compatible if it can work with input generated by an older device...
as possible; but by continuing to use protocols that have known issues, they continue to leave their customers at risk to exploitation... These are, yet again, known issues that have existed since day one of this protocol. This is not a bug but a fundamental design flaw. To assume that nobody has used this method to exploit people is silly; it took me less than two weeks to write SMBRelay."
SMBRelay2
SMBRelay2 works at the NetBIOS level across any protocol to which NetBIOS is bound (such as NBF or NBT). It differs from SMBrelay in that it uses NetBIOS names rather than IP addresses.SMBRelay2 also supports man-in-the-middling to a third host. However, it only supports listening on one name at a time.
External links
- The SMB Man-In-the-Middle Attack by Sir Dystic
- Symantec Security Bulletin
- How to disable LM authentication on Windows NT - lists affected operating systems
- Your Field Guide To Designing Security Into Networking Protocols
- Extended Protection for Authentication