Snarf Enhancement: Ignore Failed Logins
SMB relay is a beautiful technique. Most SMB relay tools disrupt the client’s actions and deliver a single payload, which often means you give up perfectly good sessions that you could otherwise use for profit. In collaboration with Victor Mata, I had the pleasure of writing Snarf, whose key feature is that it relays a connection, and then retains it, allowing you to reuse an already-authenticated session many times. For more info, check out our presentation we did at Derbycon ‘14.
I continue to get a lot of value out of Snarf in pentests. But sometimes it gets a little annoying in real environments when accounts that you’re relaying aren’t valid. If you have used Snarf and seen the following, then I think I have just fixed it:
1006 20:44 :) josh ~ $ smbclient -U b%b //127.0.0.1/c$ -c ls Domain=[SNARFING_MITM] OS=[Snarf] Server=[Josh S. & Victor M.] tree connect failed: NT_STATUS_USER_SESSION_DELETED
This happens when the session you’re relaying can’t login – maybe the password’s wrong, or the account doesn’t exist (anymore?), or the account is locked out. This is not unusual when you consider that lots of the stray SMB logins that result from LLMNR or NBNS poisoning relate to hosts or apps that have been decommissioned. Obviously, these sessions are of no value to the pentester, so Snarf shouldn’t keep them around.
If you update Snarf, this is what you should see when any relayed connection fails to login (this is in the Snarf console output):
20:50:21 Writing hash for WORKGROUP\test to snarf.pot 20:50:21 [0] Server: SMB (35 bytes), CMD: SMB_COM_SESSION_SETUP_ANDX 20:50:21 ERROR: client failed authentication! 20:50:21 Setting UID to 2048 20:50:21 Rewiring middler as dumb relay until it dies 20:50:21 Activating middler 20:50:21 Ready to start listening for hackers 20:50:21 Listening for hacker clients on 445 20:50:21 Keepalive for middler 20:50:21 Destroying client socket! 20:50:21 Server connection encountered an errorError: read ECONNRESET 20:50:21 This could be because of a failure to route to the destination 20:50:21 Encountered error from server 20:50:21 Removing Middler #0
Of note, you will see the message indicating that the relayed session failed to login (the session setup resulted in a non-zero status code), and the message showing that the middler has been rewired to function as a dumb relay. This way it won’t show up in your Snarf console. This should reduce the clutter quite a bit – test it out and let me know if you like the fix!