Tuesday, March 2, 2010

SMB Hacking Tools - SMB Relay

•SMBRelay is essentially a SMB server that can capture usernames and password hashes from incoming SMB traffic. •It can also perform man-in-the-middle (MITM) attacks.
•You must disable NetBIOS over TCP/IP and block ports 139 and 445.
•Start the SMBRelay server and listen for SMB packets:
c:\>smbrelay /e c:\>smbrelay /IL 2 /IR 2 •An attacker can access the client machine by simply connecting to it via relay address using: c: \> net use * \\\c$
SMBRelay by Sir Dystic of the Cult of Dead Cow is essentially a SMB server that receives a connection on port 139, connects back to the connecting computer's port 139 or to another target server, and relays the packets between the client and server of the connecting Windows machine, as well as making modifications to these packets when necessary.
SMBRelay functions first as a data relay between the client and host, sending on all but the authentication data. Then the attacker disconnects the client and binds the host to a new IP relay address that the attacker can log on to, all the while maintaining the original client's host privileges. At the same time NTLM password hashes exchanged by the client and host are collected and saved to a text file.
The usage is smbrelay [options]
Options:

•/D num - Set debug level, current valid levels: 0 (none), 1, 2 Defaults to 0.
•/E - Enumerates interfaces and their indexes.
•/F[-] - Fake server only, capture password hashes and do not relay Use - to disable acting as a fake server if relay fails.
•/IL num - Set the interface index to use when adding local IP addresses.
•/IR num - Set the interface index to use when adding relay IP addresses Defaults to 1.
•/L[+] IP - Set the local IP to listen on for incoming NetBIOS connections. Use + to first add the IP address to the NIC Defaults to primary host IP.
•/R[-] IP - Set the starting relay IP address to use. Use [-] to not add each relay IP address to the NIC Defaults to 192.1.1.1 first.
•/S name - Set the source machine name.


The attacker can choose to disable TCP port 445 on the rogue server using an IPSec filter so that traffic will always flow through TCP port 139. The servers can then capture both LM and NTLM passwords, and write them to its working directory as hashes.txt which can be later imported into LOphtCrack. Furthermore, the attacker's system now can access the client machine by simply connecting to it via the relay address:
c: \>net use * \\192.x.x.x\c$
On the client side (W2K), "net use" command will fail to turn up any sessions as the program throws a system error 64 and indicates that no drives are mounted. However, running "net session" will reveal that it is connected to the spoofed machine name, CDC4EVER, which SMBRelay sets by default unless changed using the "/S name" parameter

0 comments:

Post a Comment