Pentest Everything
GitHubSupport Pentest Everything
  • ⚔️Pentest Everything
  • 🚩Writeups
    • CyberSecLabs
      • Active Directory
        • Dictionary
        • Spray (WIP)
      • Linux
        • Shock
        • Pie
      • Windows
        • Brute
        • Deployable
        • Glass
        • Monitor
        • Sam
        • Secret
        • Stack
        • Unattended
        • Weak
    • HackTheBox
      • Active Directory
        • Active
        • Blackfield
        • Cascade
        • Forest
        • Intelligence
        • Mantis
        • Monteverde
        • Resolute
        • Return
        • Sauna
        • Search
      • Linux
        • Antique
        • Armageddon
        • Backdoor
        • Bashed
        • Cap
        • Cronos
        • Curling
        • Knife
        • Lame
        • Help
        • Horizontall
        • OpenAdmin
        • Poison
        • SolidState
        • Traceback
        • Trick
      • Windows
        • Access
        • Artic
        • Bastard
        • Bastion
        • Bounty
        • Devel
        • Heist
        • Jeeves
        • Jerry
        • Legacy
        • Love
        • Optimum
        • Remote
        • SecNotes
        • Servmon
        • Timelapse
        • Querier
    • PG Play | Vulnhub
      • Linux
        • BBSCute
        • BTRSys2.1
        • Born2root
        • BossPlayersCTF
        • Covfefe
        • Dawn
        • DC5
        • Funbox
        • FunboxEasy
        • FunBoxEasyEnum
        • HackerFest2019
        • Geisha
        • JISCTF
        • My-CMSMS
        • NoName
        • OnSystemShellDredd
        • Photographer
        • Potato
        • PyExp
        • Samurai
        • SunsetDecoy
        • SunsetMidnight
        • SunsetTwilight
        • Wpwn
    • PG Practice
      • Linux
        • ClamAV
        • Nibbles
        • Payday
        • Pelican
        • Peppo
        • Postfish
        • Pwned1
        • Snookums
        • Sirol
        • Sorcerer
        • Quackerjack
        • WebCal
        • Walla
        • ZenPhoto
        • Zino
      • Windows
        • Algernon
        • Compromised
        • Kevin
        • Helpdesk
        • Hutch
        • Jacko
        • Meathead
        • Metallus
        • Shenzi
        • Slort
        • UT99
    • TryHackMe
      • Linux
        • All in One
        • Archangel
        • Anonforce
        • Biblioteca
        • Cat Pictures
        • Chill Hack
        • CMesS
        • ColddBox
        • ConvertMyVideo
        • CyberHeroes
        • Cyborg
        • Dav
        • Fusion Corp
        • GamingServer
        • Gallery
        • Internal
        • Jacobtheboss
        • Kiba
        • LazyAdmin
        • Library
        • Madness
        • Marketplace
        • Mustacchio
        • NerdHerd
        • Oh My WebServer
        • Olympus
        • Plotted-TMS
        • Skynet
        • Startup
        • Surfer
        • Team
        • Tech_Supp0rt: 1
        • Tomghost
        • VulnNet
        • Undiscovered
        • Year of the Owl
      • Windows
        • Blueprint
        • Enterprise
        • Flatline
        • Quotient
        • RazorBlack
        • Relevant
        • USTOUN
        • VulnNet: Roasted
    • To Do
      • AllSignsPoint2Pwnage (WIP)
      • Hunit (WIP)
      • Escape (WIP)
      • Banzai (WIP)
      • Billyboss (WIP)
      • Fish
      • Ra
      • Roquefort (WIP)
  • 💾GitHub
  • 🔵PsMapExec
    • Change Log
    • BloodHound
    • Using Credentials
    • Cross Domain Usage
    • Methods
      • Command Execution
      • DCSync
      • GenRelayList / SMB Signing
      • Inject
      • IPMI
      • Kerberoast
      • MSSQL
      • Session Hunter
      • Spray
    • Modules
      • Amnesiac
      • ConsoleHistory
      • Files
      • FileZilla
      • KerbDump
      • eKeys
      • LDAP / LDAPS
      • LogonPasswords
      • LSA
      • MDF
      • NTDS
      • Notepad
      • NTLM
      • SAM
      • SCCM
      • SessionExec
      • SessionRelay
      • SSH
      • TGTDeleg
      • VNC
      • Wi-Fi
      • WinSCP
    • Target Acquisition
  • Everything
    • Buffer Overflow Guide
    • Everything Active Directory and Windows
      • Active Directory Enumeration
      • ADCS
        • Enumeration - Certificate Authority
        • ESC1
        • ESC2
        • ESC3
        • ESC4
        • ESC6
        • ESC7
        • ESC8
        • ESC9 - WIP
        • ESC11
      • Access Token Manipultion
        • Token Impersonation
        • Create Process with Token
        • 🔨Make and Impersonate Token
        • Parent PID Spoofing
        • 🔨SID-History Injection
      • Adversary-in-the-Middle
        • 🔨LDAP Relay
        • 🔨LLMNR
        • 🔨RDP MiTM
        • 🔨SMB Relay
      • Credential Access
        • Brute Force
          • Password Spraying
        • Credential Dumping
          • LSASS Memory
          • Security Account Manager (SAM)
          • NTDS
          • LSA Secrets
          • Cached Domain Credentials
          • DCSync
            • 🔨DCSync Attack
        • Credentials from Password Stores
          • Credentials from Web Browsers
          • Windows Credential Manager
        • Unsecured Credentials
          • Credentials In Files
          • Credentials in Registry
          • Group Policy Preferences
            • 🔨GPP Passwords
        • 🔨Modify Authentication Process
          • Domain Controller Authentication: Skeleton Key
          • Reversible Encryption
        • Steal or Forge Kerberos Tickets
          • AS-REP Roasting
          • Golden Ticket
          • Kerberoasting
          • Silver Ticket
          • S4U2Self
          • Ticket Aquisition
          • Constrained Delegation
          • Unconstrained Delegation
      • Collection
        • Clipboard Data
        • Audio Capture
      • Defense Evasion
        • Disable and Bypass Defender
        • Impair Defenses
          • Disable Windows Event Logging
          • Impair Command History Logging
          • Disable or Modify System Firewall
        • Indicator Removal
          • Clear Windows Event Logs
          • Clear Command History
          • File Deletion
          • Network Share Connection Removal
          • Timestomp
      • Input Capture
        • Keylogging
      • Lateral Movement
        • PowerShell Remoting
        • Alternate Authentication Material
          • Pass The Hash
          • Pass the Ticket
          • Pass the Password
      • File Execution Methods
      • File Transfer Techniques
      • Forced Coercion
        • URL File Attack
      • LAPS
      • Network Sniffing
      • Persistence
        • AdminSDHolder
        • BITS Jobs
        • Create Account
          • Local Account
          • Domain Account
          • Cloud Account
        • Create or Modify System Process
          • Windows Service
        • Custom SSP
        • DSRM
        • 🔨Persistence Notes
        • Skeleton Key Attack
      • Privilege Escalation
        • Privilege Escalation Checklist
        • DnsAdmin
        • Registry
          • Always Install Elevated
          • AutoRuns
        • Service Exploits
          • Insecure Service Permissions
      • SCCM / MECM
        • Recon
        • CRED-1 - PXE Abuse
        • CRED-2 - Policy Request Credentials
        • CRED-3 - WMI Local Secrets
        • CRED-4 - CIM Repository
        • CRED-5 - MSSQL Database
        • ELEVATE-2 - Client Push
        • TAKEOVER-2
      • Timeroasting
      • Tools
        • BloodHound
    • Everything Linux
      • File Transfer Techniques
      • Linux Privilege Escalation Techniques
      • Privilege Escalation Checklist
      • Shell Upgrades
    • Everything OSINT
      • Discovering Email Addresses
      • Dork Tools
      • Image OSINT
      • Metadata OSINT
      • Password OSINT
      • Phone Number OSINT
      • Search Engine Operators
      • Social Media OSINT Tools
      • OSINT CTFs
      • OSINT VM
      • Username OSINT
    • Everything Web
      • Command Injection
      • Enumeration
      • File Upload
      • Sub Domain Enumeration
      • XSS
    • Host Discovery
    • Pivoting and Portforwarding
    • Ports
      • Nmap Commands for port discovery
      • Port 21 | FTP
      • Port 25 | SMTP
      • Port 53 | DNS
      • Port 88 | Kerberos
      • Ports 111 | 32771 | rpcbind
      • Port 123 | NTP
      • Ports 137 | 138 | 139 | NetBIOS
      • Ports 139 | 445 | SMB
      • Ports 161 | 162 | SNMP
      • Port 389 | LDAP
      • Ports 1099 | Java RMI
      • Ports 2049 | NFS
      • Port 3389 | RDP
      • Ports 8080 | 8180 | Apache Tomcat
    • PowerShell
      • Constrained Language Mode
      • Download and Execution Methods
      • Resources
      • Restricted Mode
  • Resources
    • Cheat Sheets
      • Default Passwords
      • Kerberoast
      • Mimikatz
      • Powerup
    • Hashcat Word lists and Rules
    • Metasploit Modules
    • Misc Snippets
    • GTFOBins
    • LOLBAS
    • WADCOMS
    • Reverse Shell Generator
    • OSINT Tools
    • Weakpass
  • Password Filter DLL
  • Dork Cheatsheet
Powered by GitBook
On this page

Was this helpful?

What is it

A SMB relay attack is where an attacker captures a users NTLM hash and relays its to another machine on the network. Masquerading as the user and authenticating against SMB to gain shell or file access.

Prerequisites

  • SMB Signing disabled on target

  • Must be on the local network

  • User credentials must have remote login access for example; local admin to the target machine or member of the Domain Administrators group.

SMB Signing

What it does

SMB signing verifies the origin and authenticity of SMB packets. Effectively this stops MiTM SMB relay attacks from being successful. If this is enabled and required on a machine we will not be able to perform a successful SMB relay attack.

Systems that are vulnerable to this attack have SMB signing configured to the following:

  • SMB Signing enabled but not required

  • SMB Signing disabled

Systems that are not vulnerable to this attack have SMB signing configured to the following:

  • SMB signing enabled and required

Otherwise, this setting needs to be rolled out by Group Policy to prevent relay attacks.

Scanning for SMB signing disabled or not required systems

PsMapExec

If using Windows, PsMapExec can be used to identify domain joined systems for whether SMB signing is required or not.

Nmap

Otherwise, Nmap can be used to check for potential SMB relay targets. Below, we check hosts on a CIDR range for SMB signing status.

The results below show several systems for which SMB signing is enabled but not requred. Indiciating these systems are valid targets form SMB relay attacks.

If I run the same command against the Domain Controller on my network I get the following:

With 'Signing enabled and required' we will not be able to perform a SMB relay attack against that particular hosts. This is the default behaviour for Windows Servers that are Domain Controllers only.

Performing the attack from Windows

In the lab scenario we have two machines

  • WS01 (Windows 10 22H2)(Attacker System)

  • WS02 (Windows 10 22H2)(System used to trigger LLMNR)

  • SRV02 (Windows Server 2019)(Not a Domain Controller)

We will be capturing a hash on WS01 using LLMNR Poisoning and performing a SMB relay attack to dump SAM hashes on SRV02.

As per the prerequisites the user account hash we will be capturing (new.admin) is a member of the administrators group on the machine we will be relaying to (SRV02).

Required Tools

Configure DivertTCPconn to redirect SMB traffic to port 8445 (Requires Local Admin)

Set up NTLMRelayx

Once both tools have been setup trigger LLMNR poisoning to capture a NTLMv2 request and then relay to a host that does not have SMB signing required.

Below, we have captured an authentication request for the user "new_admin" and relayed it to SRV02 to dump the local SAM database.

Performing the attack from Linux

In the lab scenario we have three systems

  • Kali Linux (Attacker System)

  • WS02 (Windows 10 22H2)(System used to trigger LLMNR)

  • SRV02 (Windows Server 2019)(Not a Domain Controller)

We will be capturing a hash on Kali Linux using LLMNR Poisoning and performing a SMB relay attack to gain shell on SRV02.

As per the prerequisites the user account hash we will be capturing (new.admin) is a member of the administrators group on the machine we will be relaying to (SRV02)

Ideally we will use Responder for this attack which comes preinstalled on Kali Linux. Before we start Responder we need to make a small change to the configuration file.

We need to turn off SMB and HTTP servers as we do not want to respond to these protocols as we will be capturing the hash and relaying it to a different tool called ntlmrelayx.py from Impacket.

Start Responder with the following command:

And then call ntlmrelayx.py from the Impacket directory.

with both tools listening we can trigger an event using LLMNR as covered previously by myself in how to perform LLMNR Poisoning.

Responder has caught the user new.admin attempting to browse to a host that does not exists on the network. After DNS has failed to resolve the machine falls back to LLMNR which in this case we have caught the hash and relayed it over to ntlmrelayx.py.

ntlmrelayx.py then forwards the hash over to the machines specified with the -t switch which in this case is 10.10.10.20 or SRV02.

As the user new.admin is an administrator on SRVS02, ntlmrelayx.py has allowed us to dump the hashes in the SAM database.

We can then takes these hashes and crack them or we can even attempt a pass-the-hash attack and attempt to gain a shell with the NTLMv2 hash on a different machine on the network.

Interactive Shell

We can gain a shell with the same manner above except this time we speciy the -i switch in ntlmrelayx.py.

When we get a successful authentication message in ntlmrelayx.py we will need to open a netcat bind shell on the localhost and port specified in the ntlmrelayx.py output.

Start netcat with a localhost address and the port specified in the output above.

Use the 'help' command once inside the SMB interactive shell to view more options

Mitigations

Enable SMB Signing

This attack can be mitigated by creating a group policy for signing to be required on all network machines.

After this has been enabled I repeated the steps above and attempted to relay a hash to the to a workstation for which which has group policy enabled for requiring SMB signing.

A downside to this setting which may effect the enironment is that signing adds overhead to the network traffic and reduces file transfer speed at around %15 however, security of the network far exceeds the loss in performance.

Tiered Accounts

A major risk in this type of attack and also with LLMNR Poisoning is if a Domain Administrators hash was captured and either taken offline to be cracked or relayed elsewhere into the network. Introducing account tiers into the network would reduce exposure of these credentials being captured.

Local Administrator Restrictions

Removing local administrator rights from users can help prevent lateral movement from the network. For example as per the above attack if the user new.admin was not an administrator on the relay target SRV02 the attack would have not been successful.

Last updated 11 months ago

Was this helpful?

By default, only Domain Controllers have SMB signing set to required. However, Microsoft is now beginning to make this the default settings for all clients systems starting with Windows 11 Pro and Enterprise insider builds:

Reference:

NTLMrelayx.exe:

DivertTCPconn:

  1. Everything
  2. Everything Active Directory and Windows
  3. Adversary-in-the-Middle

🔨SMB Relay

PsMapExec -Targets all -Method GenRelayList
nmap --script=smb2-security-mode.nse -p 445 -Pn --open 10.10.10.0/24
.\divertTCPConn.exe 445 8445
# Dump SAM
.\ntlmrelayx.exe --smb-port 8445 -t [IP] or [CIDR] -smb2support

# Execute Command
.\ntlmrelayx.exe --smb-port 8445 -t [IP] or [CIDR] -smb2support -c "ipconfig"
sudo python Responder.py -I eth0 -v
sudo python ntlmrelayx.py -t [IP] or [CIDR] -smb2support
sudo python ntlmrelayx.py -t 192.168.64.129 -smb2support -i
nc 127.0.0.1 <port>
  • What is it
  • Prerequisites
  • SMB Signing
  • What it does
  • Scanning for SMB signing disabled or not required systems
  • Performing the attack from Windows
  • Required Tools
  • Performing the attack from Linux
  • Interactive Shell
  • Mitigations
  • Enable SMB Signing
  • Tiered Accounts
  • Local Administrator Restrictions
https://techcommunity.microsoft.com/t5/storage-at-microsoft/smb-signing-required-by-default-in-windows-insider/ba-p/3831704
https://learn.microsoft.com/en-gb/archive/blogs/josebda/the-basics-of-smb-signing-covering-both-smb1-and-smb2
https://github.com/The-Viper-One/RedTeam-Binaries/blob/main/ntlmrelayx.exe
https://github.com/Arno0x/DivertTCPconn/tree/master/compiled_binaries/Binaries_x64
LLMNR
LLMNR
🔨
🔨
Securing privileged access Enterprise access modeldocsmsft
Logo