SMB Relay

SMB Relay and SMB Relay 2 are special programs capable of attacks against remote computers. The programs use the Server Message Block file-sharing protocol, which is layered onto NetBIOS. A user sharing any folder or directory within the LAN most likely uses this file-sharing protocol.

Within local network communication, password hashes are exchanged.

SMB Relay receives a connection on UDP port 139 and 445, relays the packets between the client and server, and modifies them. After connecting and authenticating, the client is disconnected. SMB Relay creates a new virtual IP address. The new address can be accessed using the command “net use \\192.168.1.1“. Any of the Windows networking functions can then use the address. SMB Relay relays SMB protocol communication except for negotiation and authentication. Remote attackers can use the IP address if the client computer is connected.

SMB Relay 2 works on the same principle as SMB Relay, except it uses NetBIOS names rather than IP addresses. Both can carry out “man-in-the-middle” attacks. These attacks allow remote attackers to read, insert and modify messages exchanged between two communication endpoints without being noticed. Computers exposed to such attacks often stop responding or restart unexpectedly.

To avoid attacks, we recommend that you use authentication passwords or keys.