SMBRelay and SMBRelay2 are computer programs that can be used to carry out SMB man in the middle (mitm) attacks on Windows machines.SMBrelay receives a connection on UDP port 139 and relays the packets between the client and server of the connecting Windows machine to the originating computer's port 139. It modifies these packets when necessary.
After connecting and authenticating, the target's client is disconnected and SMBRelay binds to port 139 on a new IP address. This relay address can then be connected to directly using "net use \\192.1.1.1" and then used by all of the networking functions built into Windows. The program relays all of the SMB traffic, excluding negotiation and authentication. As long as the target host remains connected, the user can disconnect from and reconnect to this virtual IP.
SMBRelay collects the NTLM password hashes and writes them to hashes.txt in a format usable by L0phtCrack for cracking at a later time.
As port 139 is a privileged port and requires administrator access for use, SMBRelay must run as an administrator access account. However, since port 139 is needed for NetBIOS sessions, it is difficult to block.
The SMB authentication relay attack was first reported by Sir Dystic on March 31st, 2001 at @lanta.con in Atlanta, Georgia
This Vulnerabilty will easy exploitable with metasploit (smb_relay). Smb relay will relay SMB authentication requests to another host, gaining access to an authenticated SMB session if successful. the connecting user is an administrator and network logins are allowed to the target machine, this smb relay module will execute an arbitrary payload. To exploit this, the target system must try to authenticate to this module. The easiest way to force a SMB authentication attempt
is by embedding a UNC path (\\\\SERVER\\SHARE) into a web page or email message. When the victim views the web page or email, their system will automatically connect to the server specified in the UNC share (the IP address of the system running this module) and attempt to authenticate. Unfortunately, this module is not able to clean up after itself. The service and payload file listed in the output will need to be manually removed after access has been gained. The service created by this tool uses a randomly chosen name and description, so the services list can become cluttered after repeated exploitation.
On November 11th 2008 Microsoft released bulletin MS08-068. This bulletin includes a patch which prevents the relaying of challenge keys back to the host which issued them, preventing this exploit from working in the default configuration
