SMBRelay

SMBRelay

SMBRelay and SMBRelay2 are computer programs that can be used to carry out SMB man in the middle (mitm) attacks on Windows machines. They were written by Sir Dystic of CULT OF THE DEAD COW (cDc) and released March 21, 2001 at the @lantacon convention in Atlanta, Georgia.

SMBRelay

SMBrelay receives a connection on UDP port 139 and relays the packets between the client and server of the connecting Windows machine to the originating computer's port 139. It modifies these packets when necessary.

After connecting and authenticating, the target's client is disconnected and SMBRelay binds to port 139 on a new IP address. This relay address can then be connected to directly using "net use \192.1.1.1" and then used by all of the networking functions built into Windows. The program relays all of the SMB traffic, excluding negotiation and authentication. As long as the target host remains connected, the user can disconnect from and reconnect to this virtual IP.

SMBRelay collects the NTLM password hashes and writes them to hashes.txt in a format usable by L0phtCrack for cracking at a later time.

As port 139 is a privileged port and requires administrator access for use, SMBRelay must run as an administrator access account. However, since port 139 is needed for NetBIOS sessions, it is difficult to block.

According to Sir Dystic, "The problem is that from a marketing standpoint, Microsoft wants their products to have as much backward compatibility as possible; but by continuing to use protocols that have known issues, they continue to leave their customers at risk to exploitation... These are, yet again, known issues that have existed since day one of this protocol. This is not a bug but a fundamental design flaw. To assume that nobody has used this method to exploit people is silly; it took me less than two weeks to write SMBRelay." [Greene, Thomas C. " [http://www.theregister.co.uk/2001/04/19/exploit_devastates_winnt_2k_security/ Exploit devastates WinNT/2K security] ." "The Register" online edition, April 19, 2001. Retrieved August 20, 2005.]

SMBRelay2

SMBRelay2 works at the NetBIOS level across any protocol to which NetBIOS is bound (such as NBF or NBT). It differs from SMBrelay in that it uses NetBIOS names rather than IP addresses.

SMBRelay2 also supports man in the middling to a third host. However, it only supports listening on one name at a time.

References

External links

* [http://www.xfocus.net/articles/200305/smbrelay.html The SMB Man-In-the-Middle Attack] by Sir Dystic
* [http://securityresponse.symantec.com/avcenter/venc/data/backdoor.smbrelay.html Symantec Security Bulletin]


Wikimedia Foundation. 2010.

Игры ⚽ Поможем написать курсовую

Look at other dictionaries:

  • Cult of the Dead Cow — cDc Paramedia Logo Origin Lubbock, Texas Country United States Years active 1984 present …   Wikipedia

  • Attaque par relais — Une attaque par relais, connu en anglais sous le nom de relay attack, est un type d attaque informatique, similaire à l attaque de l homme du milieu et l attaque par rejeu, dans lequel un attaquant ne fait que relayer mot pour mot un message d un …   Wikipédia en Français

  • Sir Dystic — Josh Buchbinder,Richtel, Matt. [http://www.nytimes.com/library/tech/98/08/cyber/articles/04hacker.html Hacker Group Says Program Can Exploit Microsoft Security Hole] , New York Times 4 August 1998. Retrieved 24 April 2007.] better known as Sir… …   Wikipedia

  • Demon Roach Underground — (DRU) was a Lubbock, Texas based BBS that was popular in the hacker scene. Grandmaster Ratte was the SysOp of DRU, and the BBS was the base system for his group Cult of the Dead Cow, a computer hacker organization. It ran from 1985 to 1999,… …   Wikipedia

  • Oxblood Ruffin — is a Canadian hacker. He is a member of the hacker group Cult of the Dead Cow (cDc), for which he serves as Foreign Minister. He is also the founder and executive director of Hacktivismo, an off shoot of cDc. Ruffin is active in human rights… …   Wikipedia

  • NBName — is a computer program that can be used to carry out denial of service attacks that can disable NetBIOS services on Windows machines. It was written by Sir Dystic of CULT OF THE DEAD COW (cDc) and released July 29, 2000 at the DEF CON 8 convention …   Wikipedia

  • Cult of the Dead Cow — (( )) [ x x ] / ( ) (U) das ASCII Logo des cDc Logo Cult of the Dead Cow (kurz cDc) ist eine Hackergruppe, die 1984 in Lubbock (Texas), (Vereinigte Staaten) gegrü …   Deutsch Wikipedia

  • Cult of the dead cow — (( )) [ x x ] / ( ) (U) das ASCII Logo des cDc Logo Cult of the Dead Cow (kurz cDc) ist eine Hackergruppe, die 1984 in Lubbock (Texas), (Vereinigte Staaten) gegründet wurde. Bekannt wurde sie vor allem durch die (oft auch illegal eingesetzte)… …   Deutsch Wikipedia

  • Session-Hijacking — (auf deutsch etwa: „Entführung einer Kommunikationssitzung“) ist ein Angriff auf eine verbindungsbehaftete Datenkommunikation zwischen zwei Computern. Während die Teilnehmer einer verbindungslosen Kommunikation Nachrichten ohne definierten Bezug… …   Deutsch Wikipedia

  • Session Hijacking — (auf deutsch etwa: „Entführung einer Kommunikationssitzung“) ist ein Angriff auf eine verbindungsbehaftete Datenkommunikation zwischen zwei Computern. Während die Teilnehmer einer verbindungslosen Kommunikation Nachrichten ohne definierten Bezug… …   Deutsch Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”