My esteemed colleague, Victor Mata, and I had the privilege to present our long-time research project, Snarf, at NOLAcon this past weekend. It was great to get everything together to share with others. Coincident with this presentation is the Github release of our source code, so others can experiment with the tool as well.
What is Snarf, you might ask? Think about SMB Relay (e.g., via the Spider Labs Responder), one of the most profitable attacks in the present penetration testing environment. This popular attack is supported by several tools, but is often sort of a “fire and forget” attack. If you happen to get an SMB connection, and it happens to be an admin user, and you happen to choose a system that doesn’t have AV (or you happened to choose a good payload), then it works, and you get control of a system on the network.
But what if it doesn’t happen so cleanly? Victor and I were frustrated that attacks like these are often a “one-shot” deal. We wanted to move SMB Relay from the exploitation phase to the discovery phase, and try to get utility out of middled connections that aren’t quite in the “sweet spot” described above. E.g., if you don’t have admin, you can at least still look at shares. And there are lots of SMB tools you might want to try – why can’t SMB relay let you do more?
Well, it can, but it took us a good bit of work. Along the way, we produced Snarf – a tool that middles a connection to an SMB server, but keeps the server connection when the client is done with it. We then present a localhost SMB server that authenticates any username/password, but then jacks in directly to the existing server connection that we stole from the client. You can connect any number of times, with any SMB tool (as long as it speaks the right dialect), experiment with payloads or post-exploitation exploration – all with only one connection. We just never throw away a usable connection!
What’s also cool is that this applies to lots of protocols. We have some working beta-ish code for MySQL, which we presented in our talk at NOLAcon (not integrated into the public source yet). The possibilities are really exciting for effectively demonstrating the need to secure network services during penetration tests.