replay ntlm auths back to sender with smbrelay3

Yoinked from the FD mailing list is a tool called smbrelay3 from Andres Talasco (not related to the older smbrelay tools; he really should have picked a better name). When run, this tool opens a listener service. When certain protocols from another system make a connection, the tool negotiates and replays an NTLM authentication series back to the remote system, hopefully against a user with admin rights so a remote shell can be set up. For more information, check the site and particularly the comments in the source code.

This looks like a tool that could be useful on a spare system and just listening on the network for incoming connections. Few people, if any, should have any business connecting to such a box and listening port, so those that do could be ripe for a counterattack like this tool offers.

An attacker could also set up such a box on the target network. The people most likely to find it are admins (or even service tools running with high privs!), which can really make the damage pretty bad.

Protection against this sort of a tool goes back to ye olde patching advices. You could also not run as a priveleged user, but that won’t stop the tool from still seeking out other holes (srvcheck). I’ve not tested this, but I imagine a host-based firewall would help as well. Home users should be behind a router or other NAT/firewall device, otherwise you can be tricked into this attack as well.

On the same mail thread was mentioned Squirtle, which sounds like a tool that accepts HTTP connections and can pull in NTLM auths at will, and relay them to whatever, including a domain controller. Not bad!