Tuesday, March 2, 2010

SMBRelay man-in-the-middle Scenario

•The attacker in this setting sets up a fraudulent server at 192.168.234.251, a relay address of 192.168.234.252 using /R, an d a target server address of 192.168.234.34 with /T. c:\> smbrelay /IL 2 /IR /R 192.168.234.252 /T 192.168.234.34
•When a victim client connects to the fraudulent server thinking it is talking to the target, MITM server intercepts the call, hashe s the password and passes the connection to the target server.

SMBRelay can also be used for session hijacking. The attacker can pose as the "man in the middle" by virtually interposing himself between the client and host. SMBRelay is the first widely distributed hack tool that automates the man-in-the-middle (MITM) attack. SMBRelay automates the process by functioning first as a data relay between the client and host, sending on all but the authentication data.
The attacker can send a client of the targeted host an HTML e-mail message with a link to a NetBIOS share on the web server. As the target's computer attempts to establish a NetBIOS connection, the attacker steps in, intercepts the client's credentials, and passes them off as his own.
Then the attacker disconnects the client and binds the host to a new IP relay address that the attacker can log on to, all the while maintaining the original client's host privileges. At the same time NTLM password hashes exchanged by the client and host are collected and saved to a text file.
For example, set up a MITM server at 192.168.200.114 using the /L+ switch, a relay address of 192.168.200.252 using the /R and a target server address of 192.168.200.168 with the /T switch:
c:\>smbrelay /IL /IR 2 192.168.200.252 /T 192.168.200.168
A victim client, 192.168.200.120, is then coaxed into connecting to the fraudulent MITM server by deception.

This brings us to SMBRelay2, which works at the NetBIOS level, and should work across any protocol NetBIOS is bound to (such as NetBEUI or TCP/IP). The difference is that instead of using IP addresses, SMBRelay2 uses NetBIOS names. Moreover, it supports man in the middle attack to a third host. However, the limitation of this utility is that currently it supports listening on only one name, so the target must attempt to connect to that name for SMBRelay2 to operate (the local name).

0 comments:

Post a Comment