SMB Relaying

After observing LLMNR and/or NBT-NS traffic with Responder and forcing the client to authenticate to your machine, it is possible for the attacker to relay the Net-NTLMv2 hash obtained to all systems within scope that have SMB Signing Disabled.

Identifying Systems with SMB Signing Disabled

RunFinger.py

Finger is included with Responder.py in the /tools directory. Simply run the tool against either a subnet or file and parse the results using cut

python3 RunFinger.py -i $subnet

CrackMapExec

A list can also easily be created with CrackMapExec:

crackmapexec smb $subnet --gen-relay-list 

Nmap

Nmap can also create a list of hosts that have SMB Signing Disabled:

nmap --script=smb-security-mode -p445 $ip

SMB Relaying 101

After confirming LLMNR/NBT-NS traffic and identifying systems with SMB Signing Disabled, we are ready to perform the attack. First, we need modify the Responder.conf file and disable both SMB and HTTP:

# responder.conf

SQL = On
SMB = Off    
Kerberos = On
FTP = On
POP = On
SMTP = On
IMAP = On
HTTP = Off
HTTPS = On
DNS = On
LDAP = On

We can then run Responder:

We can then run ntlmrelayx.py from Impacket, supplying our file of hosts previously identified to have SMB Signing Disabled.

Relaying with SOCKS

We can also enable SOCKS support while relaying for interactive sessions. Using this flag will also provide you with a session on the host if the user is not a local administrator:

References

Practical guide to NTLM Relaying in 2017 (A.K.A getting a foothold in under 5 minutes) // byt3bl33d3r // /dev/random > blog.pybyt3bl33d3r.github.io

NTLM Relayhackndo

The Basics of SMB Signing (covering both SMB1 and SMB2)MicrosoftLearn

SMB Relay | cheatsheetaas-s3curity.gitbook.io

Resource HubSecureAuth