SMBRelay: The Program Which Gave Microsoft a Headache for More Than 7 Years

In 2001, Cult of the Dead Cow, a US hacker group released SMBRelay. The group started in 1984 and created waves all over the world numerous times through its controversial software releases. The SMBRelay project was the brainchild of Josh Buchbinder. The hacker world knows him by the name Sir Dystic. He wrote SMBRelay in less than two weeks. He also authored Back Orifice, which was released in 1998. Similar to Back Orifice, SMBRelay too was focused on Microsoft Windows systems.

SMBRelay is an SMB MITM attack tool written mainly in C++. An MITM attack or a Man-in-the-Middle attack is an attack which allows the attacker to sit in the middle of a communication stream between two unsuspecting parties. Through an MITM attack, the attacker can read, store, or alter the information coming from the source and simply forward it to the destination. It’s a concept known to even novice hackers. SMBRelay is not an average MITM tool. It uses some pretty advanced tactics which set it apart from other run-of-the-mill MITM tools. SMBRelay requires administrator privilege to run. Xfocus Team, a non-profit organization focused on security research, has a detailed article which explains in great depth how SMBRelay works, it “receives a connection on port 139, connects back to the connecting computer’s port 139, and relays the packets between the client and server of the connecting Windows machine, making modifications to these packets when necessary”. The interesting thing is it is impractical to block port 139 as it is used for NetBIOS sessions. The software has in-built support for multi-threading and is capable of handling multiple connections at the same time. It generates new IP addresses in sequence and removes an IP address when target host gets disconnected. SMBRelay stores transmitted NTLM password hashes in a text file named hashes.txt (NTLM stands for NT LAN Manager, a network security protocol suite from Microsoft). The format used is suitable for later cracking by a program such as L0phtcrack. SMBRelay is run with the smbrelay command. It gives the best results with machines such as Windows NT and Windows 2000. The compatibility with 9x and ME is not good. It cannot work with NTLMv2 which uses 128-bit encryption. A second version of the program, SMBRelay2 was released later which is compatible with “any protocol NetBIOS is bound to.”

In an interview with The Register, a world-renowned online tech outlet, Sir Dystic lambasted Microsoft for not taking care of well-known protocol flaws to ensure backward compatibility. He added that merely having a firewall does not offer any protection against the security flaw. Now comes the hilarious part. SMBRelay was launched on March 21, 2001. It took Microsoft more than seven years (2792 days, to be exact) to write a patch. The security bulletin MS08-068 was published on November 11, 2008. The patch fixes the vulnerability in the MS Server Message Block (SMB) Protocol. The bulletin mentioned that the vulnerability allowed remote code execution and an attacker who had successfully exploited the vulnerability was able to “install programs; view, change, or delete data; or create new accounts with full user rights.” The update was rated as Important. Discussions on hacker blogs and platforms stand evidence to the fact that SMBRelay still remains a tool of interest for security researchers.