Skip to content

Relay Agent Bind SMB listener

In the context of the SMB bind listener, the relay type of listener continues to operate without creating a listening socket on the Command and Control (C2) system. Instead, it leverages an existing agent connection and utilizes SMB pipes for network communication. This approach allows for secure and flexible communication channels within a network environment.

  1. Configuration of the New Agent: Instead of creating a listening endpoint on a TCP port, the relay listener configures a new agent to start listening for connections over an SMB pipe. The specific SMB pipe name is defined during the relay listener's setup.

  2. Utilizing an Existing Agent: To establish a connection with the newly configured SMB listener, the "connect-smb" command is executed on another existing agent. This command includes the hostname of the machine hosting the SMB listener and the SMB pipe name.

  3. Establishing a New Connection: When the "connect-smb" command is executed, a new connection is established, routed through the agent that executed the command. This process uses SMB protocol for communication, leveraging the named pipe mechanism.

  4. Communication Through the Intermediate Agent: Communication with the newly created SMB listener is routed through the existing agent, utilizing the SMB pipe for data transfer. The existing agent acts as the relay point, providing a secure and flexible pathway for communication with the new agent.

Benefits of Using SMB Pipes

  • Obfuscation: This method helps evade traditional detection mechanisms by using SMB pipes for communication instead of common network ports.
  • Bypassing Network Restrictions: Using SMB traffic, which is commonly allowed within internal networks, helps bypass firewalls and restrictions on common TCP/UDP traffic.
  • Stealth: Operating within an SMB framework adds an additional layer of obfuscation in environments where direct TCP communication might raise suspicion.

Plugin ID: shelldot.listener.relay-agent-bind-smb

Configuration

  • pipename - On what port the agent will start waiting for TCP connection