Penetration Testing mailing list archives

RE: SMBRelay issues

From: "Zwan-van-der.Erwin" <Erwin.Zwan-van-der () siemens nl>
Date: Thu, 13 Dec 2001 17:20:49 +0100

You take two computers. Connect them both to a hub and the hub to the
switch. Run Windows NT or 2000 on one, Linux on the other. Configure the
Linux system to ARP route IP traffic to the default network segment gateway.
Use DSNIFF (actually several tools, you want to use ARPSPOOF) or Ettercap to
spoof the target system. What your are actually doing is telling the target
system that you are the default gateway. Now all traffic send from the
target to the gateway is actually send to your box. Since your box is on a
hub, the second box running Windows can sniff your personal segment. Just
pick the SMB traffic from the wire (most guys never bother enabling SMB
signing so there you go). Meanwhile your Linux box is forwarding the traffic
to the real gateway, which knows how to handle the traffic. Responses from
the real gateway will however still go directly to the target system. If you
want to get the full flow and do it properly, also spoof the gateway,
telling him that you are the target host.

Unfortunate I do not have an ARP spoofing tool from a Windows box. Anybody
out there which does have one? Make live easier when on a remote prompt of a
compromised system in another network segment :-)

Erwin

-----Original Message-----
From: Thad Horak [mailto:thadhorak () yahoo com]
Sent: donderdag 13 december 2001 17:06
To: Zwan-van-der.Erwin
Subject: RE: SMBRelay issues


Here ya go. The zip has both the smbrelay.exe's and
the html documentation. Let me know if you have better
luck.

The ultimate goal is to gather SMB logons from
machines homed to the same switch as my attacking
machine. How would I go about ARP Spoofing to get the
hosts to send the traffic to me? If I could accomplish
this, sniffing it is pretty trivial. The last question
would be how to route it back to the original
destitation?

Thanks.

Thad

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

SMBRelay issues Thad Horak (Dec 12)
- Re: SMBRelay issues Thomas Springer (Dec 13)
- <Possible follow-ups>
- RE: SMBRelay issues Zwan-van-der.Erwin (Dec 13)
- RE: SMBRelay issues Zwan-van-der.Erwin (Dec 13)
- Re: SMBRelay issues Curt Wilson (Dec 14)