search

folder-treeSMB Relay Attacks

Instead of capturing hashes - we can relay them via SMB to gain access to a machine

  • SMB signing must be disabled or not enforced

  • Relayed user credentials must be admin on machine for any real value

hashtag
Identifying

hashtag
Nmap

$ nmap --script=smb2-security-mode.nse -p445 [target]

Find disabled SMB signing or not enforced

hashtag
Attacks

hashtag
Responder

  • Must turn off SMB and HTTP in config:

  • /etc/responder/Responder.conf

; Servers to start
SMB = Off
HTTP = Off

  • Run responder

$ sudo responder -I eth0 -dP

  • Run NTLMRelay (Impacket 0.9.19, use pimpmykaliarrow-up-right) with target file including hosts identified as having SMB signing disabled or not enforced

  • We can add -i to the ntlmrelayx command to get an interactive shell. (output will tell us what port to connect on)

  • We can also add -c "[command]" to run a command when the relay happens instead

hashtag
Defense

hashtag
Enable SMB Signing on all devices

  • can cause some performance issues with file copies

hashtag
Disable NTLM Authentication on Network

  • If Kerberos stops working, Windows will default back to NTLM

hashtag
Account Tiering

  • Enforcing the policy may be difficult

hashtag
Local Admin Restriction

  • Potential increase of service desk tickets

PreviousLLMNR PoisoningNextIPv6 Attacks

Last updated