Links
🔨

SMB Relay

What is it

A SMB relay attack is where an attacker captures a users NTLM hash and relays its to another machine on the network. Masquerading as the user and authenticating against SMB to gain shell or file access.

Prerequisites

  • SMB Signing disabled on target
  • Must be on the local network
  • User credentials must have remote login access for example; local admin to the target machine or member of the Domain Administrators group.

SMB Signing

What it does

SMB signing verifies the origin and authenticity of SMB packets. Effectively this stops MITM SMB relay attacks from happening. If this is enabled and required on a machine we will not be able to perform a SMB relay attack.

Scanning for Signing disabled machines

Nmap can be used to check for potential SMB relay targets. In the example below I have listed two hosts in my lab network which I know already exist.
nmap --script=smb2-security-mode.nse -p 445 192.168.64.129,134 -Pn --open
As we can see, the two Windows 10 1909 hosts on my network have 'Message signing enabled but not required' meaning we can perform a SMB relay attack as signing is not required.
If I run the same command against the Windows 2019 Domain Controller on my network I get the following:
With 'Signing enabled and required' we will not be able to perform a SMB relay attack. This is true by default for all Windows Server versions.

Lab Scenario

In the lab scenario we have two machines
  • WS01 (192.168.64.134)(Windows 10 1909)
  • WS02 (192.168.64.129)(Windows 10 1909)
We will be capturing a hash on WS01 using LLMNR Poisoning and performing a SMB relay attack to gain shell on WS02.
As per the prerequisites the user account hash we will be capturing (Bart.Simpson) is a member of the local administrators group on the machine we will be relaying to WS02.

How to perform the attack

Dumping local SAM Database

Ideally we will use Responder for this attack which comes preinstalled on Kali Linux. Before we start Responder we need to make a small change to the configuration file.
We need to turn off SMB and HTTP servers as we do not want to respond to these protocols as we will be capturing the hash and relaying it to a different tool called ntlmrelayx.py from Impacket.
Start Responder with the following command:
sudo python Responder.py -I eth0 -v
And then call ntlmrelayx.py from the Impacket directory.
sudo python ntlmrelayx.py -t 192.168.64.129 -smb2support
with both tools listening we can trigger an event using LLMNR as covered previously by myself in how to perform LLMNR Poisoning.
Responder has caught the user 'Bart.Simpson' attempting to browse to a host that does not exists on the network. After DNS has failed to resolve the machine falls back to LLMNR which in this case we have caught the hash and relayed it over to ntlmrelayx.py.
ntlmrelayx.py then forwards the hash over to the machines specified with the -t switch which in this case is 192.168.64.129 or WS02.
As the user 'Bart.Simpson' is an administrator on WS02, ntlmrelayx.py has allowed us to dump the hashes in the SAM database.
We can then takes these hashes and crack them or we can even attempt a pass-the-hash attack and attempt to gain a shell with the NTLMv2 hash on a different machine on the network.

Interactive Shell

We can gain a shell with the same manner above except this time we speciy the -i switch in ntlmrelayx.py.
sudo python ntlmrelayx.py -t 192.168.64.129 -smb2support -i
When we get a successful authentication message in ntlmrelayx.py we will need to open a netcat bind shell on the localhost and port specified in the ntlmrelayx.py output.
Start netcat with a localhost address and the port specified in the output above.
nc 127.0.0.1 <port>
Use the 'help' command once inside the SMB interactive shell to view more options

Mitigations

Enable SMB Signing

This attack can be mitigated by creating a group policy for signing to be required on all network machines.
After this has been enabled I repeated the steps above and attempted to relay a hash to the workstation WS02 which has group policy enabled for requiring SMB signing.
A downside to this setting which may effect the enironment is that signing adds overhead to the network traffic and reduces file transfer speed at around %15 however, security of the network far exceeds the loss in performance.

Tiered Accounts

A major risk in this type of attack and also with LLMNR Poisoning is if a Domain Administrators hash was captured and either taken offline to be cracked or relayed elsewhere into the network. Introducing account tiers into the network would reduce exposure of these credentials being captured.

Local Administrator Restrictions

Removing local administrator rights from users can help prevent lateral movement from the network. For example as per the above attack if the user 'Bart.Simpson' was not an administrator on the relay target WS02 the attack would have not been able to gain an interactive shell.