SmbRelay captures NTLM hashes

by Wayne Maples [Published on 20 April 2004 / Last Updated on 20 April 2004]

Smbrelay and Smbrelay2 collect NTLM password hashes and writes them to hashes.txt in a format usable by L0phtcrack so the passwords can be cracked later. It is an SMB man-in-the-middle attack.

SMBRelay takes advantage of the Server Message Block (SMB) file sharing protocol. SMB is layered onto NetBIOS, the networking application interface first created by IBM and adopted by Microsoft for DOS. When you share a Windows directory or drive over a local area network, you are most likely utilizing SMB over NetBIOS over NetBEUI, IPX, or TCP/IP. OK one might ask, what does DOS have to do with a modern network exploit?

Microsoft has maintained backward compatibility with its older "dialects." This backward compatibility means that when a SMB session is initiated, a more primitive "plain text" level of authentication can often be negotiated that provides for maximum exposure of the password data. Because SMB was developed to facilitate file and print sharing on local networks, a Windows client will automatically attempt to log onto an SMB server. In the process, the host and client will exchange password hashes. These pairs of password hashes, the challenge from the host plus the response from the client, can be sniffed and saved for later cracking by L0phtcrack.

The only effective way to block SMB hijacking is to use SMB signing. Unfortunately there is a performance hit. See Registry Tip #206: SMB Signing for the implementation details. If your concern is hackers coming across the firewall and using SMB session hijacking, you can block that by not allowing UDP ports 137 and 138 as well as TCP ports 139 and 445 from coming through the firewall.

Sir Dystic's SMBRelay automates the process by functioning first as a data relay between the client and host, sending on all but the authentication data. Then the attacker disconnects the client and binds the host to a new IP relay address that the attacker can log on to, all the while maintaining the original client's host privileges. At the same time NTLM password hashes exchanged by the client and host are collected and saved to a text file.

SmbRelay is setup to so that when it receives a connection on port 139, it connects back to the connecting computer's port 139, and relays the packets between the client and server of the connecting Windows machine, making modifications to these packets when necessary. After connecting and authenticating it disconnects the target's client and binds to port 139 on a new IP address. This IP address (the relay address) can then be connected to directly from windows using "net use \\192.1.1.1" and then used by all of the networking built into Windows. It relays all the SMB traffic, except for the negotiation and authentication. You can disconnect from and reconnect to this virtual IP as long as the target host stays connected. SMBRelay is multi-threaded and handles multiple connections simultaneously. It will create new IP addresses sequentially, removing them when the target host disconnects. It will not allow the same IP address to connect twice, unless a successful connection to that target was achieved and disconnected. If this happens, it may use the same relay address again for another connection.

Featured Links