SMB Relay

SMB Relay and SMB Relay 2 are special programs that are capable of carrying out attacks against remote computers. The programs take advantage of the Server Message Block file sharing protocol, which is layered onto NetBIOS. A user sharing any folder or directory within the LAN most likely uses this file sharing protocol.

Within local network communication, password hashes are exchanged.

SMB Relay receives a connection on UDP port 139 and 445, relays the packets exchanged by the client and server, and modifies them. After connecting and authenticating, the client is disconnected. SMB Relay creates a new virtual IP address. The new address can be accessed using the command “net use \\192.168.1.1“. The address can then be used by any of the Windows networking functions. SMB Relay relays SMB protocol communication except for negotiation and authentication. Remote attackers can use the IP address, as long as the client computer is connected.

SMB Relay 2 works on the same principle as SMB Relay, except it uses NetBIOS names rather than IP addresses. Both can carry out “man-in-the-middle” attacks. These attacks allow remote attackers to read, insert and modify messages exchanged between two communication endpoints without being noticed. Computers exposed to such attacks often stop responding or restart unexpectedly.

To avoid attacks, we recommend that you use authentication passwords or keys.