[PEN-TEST] SMBRelay

From: Elias Levy (aleph1at_private)
Date: Thu Apr 19 2001 - 08:49:20 PDT

  • Next message: Chris Tobkin: "Re: [PEN-TEST] Wireless (In)Security"

    http://pr0n.newhackcity.net/~sd/smbrelay.html
    
    Smbrelay is a program that receives a connection on port 139, connects back to
    the connecting computer's port 139, and relays the packets between the client
    and server of the connecting Windows machine, making modifications to these
    packets when necessary.
    
    After connecting and authenticating it disconnects the target's client and
    binds to port 139 on a new IP address. This IP address (the relay address) can
    then be connected to directly from windows using
        "net use \\192.1.1.1"
    and then used by all of the networking built into Windows. It relays all the
    SMB traffic, except for the negotiation and authentication. You can disconnect
    from and reconnect to this virtual IP as long as the target host stays
    connected.
    
    SMBRelay is multi-threaded and handles multiple connections simultaneously. It
    will create new IP addresses sequentially, removing them when the target host
    disconnects. It will not allow the same IP address to connect twice, unless a
    successful connection to that target was achieved and disconnected. If this
    happens, it may use the same same relay address again for another connection.
    
    SMBRelay collects the NTLM password hashes transmitted and writes them to
    hashes.txt in a format usable by L0phtcrack so the passwords can be cracked
    later.
    
    
    --
    Elias Levy
    SecurityFocus.com
    http://www.securityfocus.com/
    Si vis pacem, para bellum
    



    This archive was generated by hypermail 2b30 : Thu Apr 19 2001 - 09:49:56 PDT