SMB Relay Attacks

Instead of capturing hashes - we can relay them via SMB to gain access to a machine

  • SMB signing must be disabled or not enforced

  • Relayed user credentials must be admin on machine for any real value

Identifying

Nmap

$ nmap --script=smb2-security-mode.nse -p445 [target]

Find disabled SMB signing or not enforced

Attacks

Responder

  • Must turn off SMB and HTTP in config:

  • /etc/responder/Responder.conf

; Servers to start
SMB = Off
HTTP = Off

  • Run responder

$ sudo responder -I eth0 -dP

  • Run NTLMRelay (Impacket 0.9.19, use pimpmykali) with target file including hosts identified as having SMB signing disabled or not enforced

  • We can add -i to the ntlmrelayx command to get an interactive shell. (output will tell us what port to connect on)

  • We can also add -c "[command]" to run a command when the relay happens instead

Defense

Enable SMB Signing on all devices

  • can cause some performance issues with file copies

Disable NTLM Authentication on Network

  • If Kerberos stops working, Windows will default back to NTLM

Account Tiering

  • Enforcing the policy may be difficult

Local Admin Restriction

  • Potential increase of service desk tickets

PreviousLLMNR PoisoningNextIPv6 Attacks

Last updated