• Choose a category
• All
• Classic-Fiction

An SMB relay MITM attack is when the attacker sets up a fraudulent server with a relay address. When a victim client connects to the fraudulent server, the MITM server intercepts the call, hashes the password, and passes the connection to the victim server.

Figure 4.1 illustrates an example of such an attack.

FIGURE 4.1 SMB relay MITM attack

SMB relay countermeasures include configuring Windows 2000 to use SMB signing, which causes it to cryptographically sign each block of SMB communications. These settings are found under Security Policies/Security Options.

Hacking Tools

SMBGrind increases the speed of LOphtCrack sessions on sniffer dumps by removing duplication and providing a way to target specific users without having to edit the dump files manually.

The SMBDie tool crashes computers running Windows 2000/XP/NT by sending specially crafted SMB requests.

NBTdeputy can register a NetBIOS computer name on a network and respond to NetBIOS over TCP/IP (NetBT) name-query requests. It simplifies the use of SMBReIay. The relay can be referred to by computer name instead of IP address.

NetBIOS DoS Attacks

A NetBIOS Denial of Service (DoS) attack sends a NetBIOS Name Release message to the NetBIOS Name Service on a target Windows systems and forces the system to place its name in conflict so that the name can no longer be used. This essentially blocks the client from participating in the NetBIOS network and creates a network DoS for that system.

Hacking Tools

NBName can disable entire LANs and prevent machines from rejoining them. Nodes on a NetBIOS network infected by the tool think that their names are already in use by other machines.

Password-Cracking Countermeasures

The strongest passwords possible should be implemented to protect against password cracking. Systems should enforce 8-12 character alphanumeric passwords. The length of time the same password should be used is discussed in the next section.

To protect against cracking of the hashing algorithm for passwords stored on the server, you must take care to physically isolate and protect the server. The systems administrator can use the SYSKEY utility in Windows to further protect hashes stored on the server hard disk. The server logs should also be monitored for brute-force attacks on user accounts.

A systems administrator can implement the following security precautions to decrease the effectiveness of a brute-force password-cracking attempt:

1. Never leave a default password.

2. Never use a password that can be found in a dictionary.

3. Never use a password related to the host name, domain name, or anything else that can be found with whois.

In the following sections, we'll look at two measures you can take to strengthen passwords and prevent password-cracking.

Password Change Interval

Passwords should expire after a certain amount of time so that users are forced to change their passwords. If the password interval is set too low, then users will forget their current passwords; as a result, a systems administrator will have to reset users' passwords frequently. On the other hand, if passwords are allowed to be used for too long, then security may be compromised. The recommended password-change interval is every 30 days. In addition, it's recommended that users not be allowed to reuse the last three passwords.

Monitoring Event Viewer Logs

Administrators should monitor Event Viewer logs to recognize any intrusion attempts either before they take place or while they're occurring. Generally, several failed attempts are logged in the system logs before a successful intrusion or password attack. The security logs are only as good as the systems administrators who monitor them.

Tools such as VisualLast aid a network administrator in deciphering and analyzing the security log files. VisualLast provides greater insight into the NT event logs so the administrator can assess the activity of the network more accurately and efficiently. The program is designed to allow network administrators to view and report