The SMB Downgrade Attacker FAQ 
SMB Downgrade Attacker 

What is the SMB Downgrade Attacker? 

The SMB Downgrade Attacker waits for users to remotely try to map shares, and when they do, it will try to get the usernames and passwords in plaintext. 

How do I use this tool? 

Download the exe file first of all. Then free TCP port 139 in your Windows machine, which is described in the FAQ. After that is done, you run the exe file and it will immediately start to listen for connections. 

Which OS's are supported? 

Windows NT 4.0. 




Q: How do I unbind TCP port 139 in Windows NT? 
A: Click Start - Settings - Control Panel - Network - Bindings. Select "all protocols" and mark "WINS Client (TCP/IP)". Then click Disable - OK. Reboot your computer for the change to take effect. 
Q: When I try to map a share on the computer running the SMB Downgrade Attacker, I get the error message "System error 1240 has occurred. The account is not authorized to login from this station.". What's wrong? 
A: The client computer is probably Windows NT 4.0 with SP3 or later. If it is, the SMB redirector refuses to send plaintext passwords with the default configuration. However, you can circumvent that (but remember that lowers the security). Go to the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rdr\Parameters and add the value EnablePlainTextPassword as a REG_DWORD that contains the data 1. 
Q: What does "Client bailed out!" mean? 
A: Most of the time it means that the client refuses to send the password in plaintext. 
Q: I have problems with the SMB Downgrade Attacker and Windows 9x, what should I do? 
A: The SMB Downgrade Attacker has only been written and tested on Windows NT. If it works on other systems that's great, if it doesn't, that's the reason. 