{"id":13540289,"url":"https://github.com/quickbreach/smbetray","last_synced_at":"2025-04-02T07:30:47.839Z","repository":{"id":201431560,"uuid":"144427339","full_name":"quickbreach/SMBetray","owner":"quickbreach","description":"SMB MiTM tool with a focus on attacking clients through file content swapping, lnk swapping, as well as compromising any data passed over the wire in cleartext. ","archived":false,"fork":false,"pushed_at":"2018-08-17T00:45:05.000Z","size":60,"stargazers_count":383,"open_issues_count":5,"forks_count":88,"subscribers_count":19,"default_branch":"master","last_synced_at":"2024-11-03T05:32:40.433Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/quickbreach.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2018-08-12T00:38:02.000Z","updated_at":"2024-10-15T13:48:13.000Z","dependencies_parsed_at":null,"dependency_job_id":"13300559-5a0a-4e60-aa62-a5ae9bb10548","html_url":"https://github.com/quickbreach/SMBetray","commit_stats":null,"previous_names":["quickbreach/smbetray"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/quickbreach%2FSMBetray","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/quickbreach%2FSMBetray/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/quickbreach%2FSMBetray/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/quickbreach%2FSMBetray/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/quickbreach","download_url":"https://codeload.github.com/quickbreach/SMBetray/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246774222,"owners_count":20831496,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T09:01:45.109Z","updated_at":"2025-04-02T07:30:43.558Z","avatar_url":"https://github.com/quickbreach.png","language":"Python","funding_links":[],"categories":["\u003ca id=\"79499aeece9a2a9f64af6f61ee18cbea\"\u003e\u003c/a\u003e浏览嗅探\u0026\u0026流量拦截\u0026\u0026流量分析\u0026\u0026中间人","\u003ca id=\"42f9e068b6511bcbb47d6b2b273097da\"\u003e\u003c/a\u003e未分类"],"sub_categories":["\u003ca id=\"11c73d3e2f71f3914a3bca35ba90de36\"\u003e\u003c/a\u003e中间人\u0026\u0026MITM","\u003ca id=\"3bd67ee9f322e2c85854991c85ed6da0\"\u003e\u003c/a\u003e投毒\u0026\u0026Poisoning"],"readme":"# SMBetray\nVersion 1.0.0. This tool is a PoC to demonstrate the ability of an attacker to intercept and modify insecure SMB connections, as well as compromise some secured SMB connections if credentials are known. \n\n# Background\nReleased at Defcon26 at \"SMBetray - Backdooring and Breaking Signatures\"\n\nIn SMB connections, the security mechanisms protecting the integrity of the data passed between the server and the client are  SMB signing and encryption. The signatures in on SMB packets when SMB signing is used are based on keys derived from information sent over the net in cleartext during the authentication phase, as well the user's password. If the password of the user is known, an attacker can re-create the SessionBaseKey and all other SMB keys and leverage them to modify SMB packets and re-sign them so that they are treated as valid and legitimate packets by the server and client. Additionally, signing is disabled by default on most everything except for domain controllers, so the need to break the signatures is rare. \n\nThis goal of this tool is to switch the aim of MiTM on SMB from attacking the server through relayed connections, to attacking the client through malicious files and backdoored/replaced data when the oppertunity strikes. Finally, since encryption is rarely ever used, at the bare minimum this tool allows for the stealing of files passed in cleartext over the network - which can prove useful for system enumeration, or damaging if the data intercepted is sensitive in nature (PCI, PII, etc).\n\nMore background info and demos can be found here https://blog.quickbreach.io/smbetray-backdooring-and-breaking-signatures/\n\n# Installation\nRequires a system using iptables\n\n\tsudo bash install.sh \n\n# Usage\nFirst, run a bi-directional arp-cache poisoning attack between your victim, and their gateway or destination network shares, eg:\n\n\tsudo arpspoof -i \u003ciface\u003e -c both -t \u003ctarget_ip\u003e -r \u003cgateway_ip\u003e\n\nThen run smbetray with some attack modules \n\n\tsudo ./smbetray.py --passive ./StolenFilesFolder --lnkSwapAll \"powershell -noP -sta -w 1 -enc AABCAD....(etc)\" -I eth0\n\n# Demo\nA demo of the tool can be found here: https://blog.quickbreach.io/smbetray-backdooring-and-breaking-signatures/\n\n# Features\n- Passively download any file sent over the wire in cleartext\n- Downgrade clients to NTLMv2 instead of Kerberos\n- Inject files into directories when view by a client\n- Replace all files with a LNK with the same name to execute a provided command upon clicking\n- Replace only executable files with a LNK with the same name to execute a provided command upon clicking\n- Replace files with extension X with the contents of the file with extension X in the local provided directory\n- Replace files with the case-insensitive name X with the contents of the file sharing hte same name in the provided directory \n\n\n# Notice:\nMore information to come - currently the tool does not support SMBv1 only connections, which is not a problem 99% of the time. The code is ugly, but it has a great personality.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fquickbreach%2Fsmbetray","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fquickbreach%2Fsmbetray","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fquickbreach%2Fsmbetray/lists"}