An application called SMBRelay, written by cDc's Sir Dystic, exploits a design flaw in the SMB (Server Message Block) protocol on Win NT/2K boxes, easily enabling an attacker to interpose himself between the client and the server.
The program enables access to the server using the client's authentication by acting as a 'man in the middle' to both. For this reason it's quite difficult to defend against, unless a user blocks port 139 -- which is needed for NetBIOS sessions and therefore not practical for networked boxes -- or by using NTLMv2 which employs 128bit encrypted keys and eliminates LANMAN (NT LAN Manager, or NTLM) hashes for NT clients.
|