SMB Downgrade Attacker

Download v1.1 (for Windows NT 4.0)


The SMB Downgrade Attacker waits for users to remotely try to map shares, and when they do, it will try to get the usernames and passwords in plaintext.

Usage instructions

Download the exe file first of all. Then free TCP port 139 in your Windows machine, which is described in the Q&A. After that is done, you run the exe file and it will immediately start to listen for connections.


Q: How do I unbind TCP port 139 in Windows NT?

A: Click Start - Settings - Control Panel - Network - Bindings. Select "all protocols" and mark "WINS Client (TCP/IP)". Then click Disable - OK. Reboot your computer for the change to take effect.

Q: When I try to map a share on the computer running the SMB Downgrade Attacker, I get the error message "System error 1240 has occurred. The account is not authorized to login from this station.". What's wrong?

A: The client computer is probably Windows NT 4.0 with SP3 or later. If it is, the SMB redirector refuses to send plaintext passwords with the default configuration. However, you can circumvent that (but remember that lowers the security). Go to the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rdr\Parameters and add the value EnablePlainTextPassword as a REG_DWORD that contains the data 1.

Q: What does "Client bailed out!" mean?

A: Most of the time it means that the client refuses to send the password in plaintext.

Q: I have problems with the SMB Downgrade Attacker and Windows 9x, what should I do?

A: The SMB Downgrade Attacker has only been written and tested on Windows NT. If it works on other systems that's great, if it doesn't, that's the reason.

Q: I have a question that is not covered here. Where can I get help?

A: Send me your question. I can't promise that I will have time to answer, but I'll do my best.

© Arne Vidstrom. All rights reserved.