SmbRelay captures NTLM hashes
Smbrelay and Smbrelay2 collect NTLM password hashes and writes them to
hashes.txt in a format usable by L0phtcrack so the passwords can be cracked
later. It is an SMB man-in-the-middle attack.
SMBRelay takes advantage of the Server Message Block (SMB) file sharing
protocol. SMB is layered onto NetBIOS, the networking application interface
first created by IBM and adopted by Microsoft for DOS. When you share a Windows
directory or drive over a local area network, you are most likely utilizing SMB
over NetBIOS over NetBEUI, IPX, or TCP/IP. OK one might ask, what does DOS have
to do with a modern network exploit?
Microsoft has maintained backward compatibility with its older "dialects."
This backward compatibility means that when a SMB session is initiated, a more
primitive "plain text" level of authentication can often be negotiated that
provides for maximum exposure of the password data. Because SMB was developed to
facilitate file and print sharing on local networks, a Windows client will
automatically attempt to log onto an SMB server. In the process, the host and
client will exchange password hashes. These pairs of password hashes, the
challenge from the host plus the response from the client, can be sniffed and
saved for later cracking by L0phtcrack.
The only effective way to block SMB hijacking is to use SMB signing.
Unfortunately there is a performance hit. See Registry Tip #206: SMB Signing for the
implementation details. If your concern is hackers coming across the firewall
and using SMB session hijacking, you can block that by not allowing UDP ports
137 and 138 as well as TCP ports 139 and 445 from coming through the firewall.
Sir Dystic's SMBRelay automates the process by functioning first as a data
relay between the client and host, sending on all but the authentication data.
Then the attacker disconnects the client and binds the host to a new IP relay
address that the attacker can log on to, all the while maintaining the original
client's host privileges. At the same time NTLM password hashes exchanged by the
client and host are collected and saved to a text file.
SmbRelay is setup to so that when it receives a connection on port 139, it
connects back to the connecting computer's port 139, and relays the packets
between the client and server of the connecting Windows machine, making
modifications to these packets when necessary. After connecting and
authenticating it disconnects the target's client and binds to port 139 on a new
IP address. This IP address (the relay address) can then be connected to
directly from windows using "net use \\126.96.36.199" and then used by all of the
networking built into Windows. It relays all the SMB traffic, except for the
negotiation and authentication. You can disconnect from and reconnect to this
virtual IP as long as the target host stays connected. SMBRelay is
multi-threaded and handles multiple connections simultaneously. It will create
new IP addresses sequentially, removing them when the target host disconnects.
It will not allow the same IP address to connect twice, unless a successful
connection to that target was achieved and disconnected. If this happens, it may
use the same relay address again for another connection.