SMBetray – Backdooring and Breaking Signatures

Comments Off on SMBetray – Backdooring and Breaking Signatures

The goal of this tool is to switch the aim of MiTM on SMB from attacking the server through relayed connections, to attacking the client through malicious files and backdoored/replaced data when the opportunity strikes.

In SMB connections, the security mechanisms protecting the integrity of the data passed between the server and the client are SMB signing and encryption. The signatures in on SMB packets when SMB signing is used are based on keys derived from information sent over the net in cleartext during the authentication phase, as well the user’s password. If the password of the user is known, an attacker can re-create the SessionBaseKey and all other SMB keys and leverage them to modify SMB packets and re-sign them so that they are treated as valid and legitimate packets by the server and client. Additionally, signing is disabled by default on most everything except for domain controllers, so the need to break the signatures is rare.

Finally, since encryption is rarely ever used, at the bare minimum this tool allows for the stealing of files passed in cleartext over the network – which can prove useful for system enumeration, or damaging if the data intercepted is sensitive in nature (PCI, PII, etc).

Released at Defcon26 at “SMBetray – Backdooring and Breaking Signatures”

 

 

Features

  • Passively download any file sent over the wire in cleartext
  • Downgrade clients to NTLMv2 instead of Kerberos
  • Inject files into directories when view by a client
  • Replace all files with a LNK with the same name to execute a provided command upon clicking
  • Replace only executable files with a LNK with the same name to execute a provided command upon clicking
  • Replace files with extension X with the contents of the file with extension X in the local provided directory
  • Replace files with the case-insensitive name X with the contents of the file sharing hte same name in the provided directory

 

Installation

Requires a system using iptables

sudo bash install.sh

 

Usage

First, run a bi-directional arp-cache poisoning attack between your victim, and their gateway or destination network shares, eg:

sudo arpspoof -i <iface> -c both -t <target_ip> -r <gateway_ip>

Then run smbetray with some attack modules

sudo ./smbetray.py --passive ./StolenFilesFolder --lnkSwapAll "powershell -noP -sta -w 1 -enc AABCAD....(etc)" -I eth0

 

Backdooring and Breaking Signatures: SMBetray Download

Related Articles

ABOUT US

Haxf4rall is a collective, a good starting point and provides a variety of quality material for cyber security professionals.

Our primary focus revolves around the latest tools released in the Infosec community and provide a platform for developers to showcase their skillset and current projects.

COMPANY
Live Chat
RESOURCES
Get Started
TOOLBOX
Tools Directory

2014 – 2020 | Haxf4rall.com               Stay Connected:

Facebook Twitter Google-plus Wordpress