SMB Relaying

An SMB relay attack is performed when an attacker can capture a users NTLM hash and then pass it to another machine that has SMB signing disabled. The goal of this attack, is to relay a user account that has better privileges than you as an attacker currently have. Ideally, this would be a domain or local administrator, so you can utilize their privileges for further attack paths.

It should be noted that SMB signing must be disabled on relayed targets, as when SMB signing is not disabled, the domain will know that you are not really the user that is being relayed. This is due to the relayed packet not being signed, so the domain it will not allow you to authenticate.

NetExec (find relay targets)

The first step in SMB relaying, is finding any hosts that can be relayed. NetExec can generate a list of targets for use with SMB relaying. This is hosts with SMB signing not required.

• https://github.com/Pennyw0rth/NetExec

The following command can be used:

netexec smb --gen-relay-list <targets.txt> <IP_Address/range>

Equipped with this list, you can move onto using the tools below.

IPv4 Relaying - Responder + ntlmrelayx.py

Responder is a tool that can be setup to act as listener on your local subnet and watch for any victim machines initiating NTLMv1/v2 authentication requests. Once a request is intercepted, Responder will forward it to ntlmrelayx, which then relays the authentication request to the target machine.

If the relayed authentication request is for a standard domain user, a SMB shell within the target is spawned. However, if the account has local administrative privileges on the target machine, then it is possible to conduct many attacks. Such as dump the SAM file to get local password hashes and more.

• https://github.com/lgandx/Responder

• https://github.com/fortra/impacket/blob/master/examples/ntlmrelayx.py

The following should be conducted to execute responder without SMB and HTTPs to setup relaying:

• Edit the /responder/Responder.conf file

  • Disable SMB (SMB = Off)

  • Disable HTTP (HTTP = Off)

Execute responder with the following command

responder -I eth0 -v

The following command will execute ntlmrelayx with a list of target hosts to relay to:

ntlmrelayx.py -tf <IPs.txt> -smb2support -i

With Responder and ntlmrelayx running, you should now see authentication requests being relayed.

IPv6 Relaying - MITM6 + ntlmrelayx.py

MITM6 (Man-In-The-Middle6) is an IPv6 tool that exploits Windows machines by taking over the default DNS server, as IPv6 takes precedence over IPv4. As a DNS server, MITM6 will selectively reply to DNS queries of the attackers choosing and redirect the victims traffic to the attacker machine.

MITM6 is very powerful when paired with ntlmrelayx and as we're taking precedence using IPv6, we are forcing ourselves to receive requests. This means we can aim for bigger things, namely a domain administrator relay and use it with a domain controller.

• https://github.com/dirkjanm/mitm6

• https://github.com/fortra/impacket/blob/master/examples/ntlmrelayx.py

The following command will execute MITM6 to start receiving requests:

mitm6 -i eth0 -d <domain>

The following command will execute ntlmrelayx and relay to a domain contoller:

To expand, this command will relay the requests to LDAPS on a domain controller. It will also send the victim a fake WPAD file and dump any gathered data inoto a folder called ‘stuff’ on the local system.

ntlmrelayx -6 -t ldaps://<DomainControllerIP> -wh fwpad.domain.com -l stuff