# SMB Relay Attack SMB relay attacks pose a significant threat to Active Directory environments by exploiting vulnerabilities in the SMB protocol. In this blog, we'll outline the step-by-step process of executing an SMB relay attack using a setup of two client systems and a Domain Controller (DC), demonstrating how attackers can intercept and relay authentication requests to gain unauthorized access. # Step1: Identifying Hosts Without Enforced SMB Signing ```bash:nmap nmap --script=smb2-security-mode.nse -p 445 192.168.1.0/24 -Pn ``` smb2-seccurity-mode.nse:nmap script that helps to identify the hosts without forced SMB signing nse files: nmap scripting engine -p 445:smb port 192.168.1.0/24: we are scanning every device within the 192.168.1.0/24 subnet, which includes all IP addresses from 192.168.1.1 to 192.168.1.254. -Pn: When using Nmap to scan hosts, the tool first sends a ping to check if they are online. If a host doesn’t respond, Nmap assumes it’s offline, which can cause us to miss scanning some targets. Some systems may ignore ping requests to appear offline intentionally, gaining an advantage by avoiding detection during scans and reducing the risk of attacks. To prevent this issue, we used the -Pn option, which tells Nmap to assume all hosts are online, skipping the ping step. {"nmap"}/

## What is Nmap Scripting Engine (NSE) The Nmap Scripting Engine (NSE) is a powerful feature of Nmap that allows users to write and execute scripts for automated network scanning tasks. It enhances Nmap's capabilities by providing a framework for custom scripts to perform advanced functions such as vulnerability detection, service discovery, and network exploitation. NSE scripts are written in Lua, enabling flexibility and extensibility in network assessments.These scripts are located in the directory */usr/share/nmap/scripts*. We can also view the various NSE scripts related to SMB available in the Nmap tool by using the following command: ```bash:NSE ls /usr/share/nmap/scripts | grep -E "smb|version" ``` grep: Used for searching for a specific word or pattern in text files. -E:Enables the use of extended regular expressions for more complex pattern matching. {"NSE"}/

# Step2: Creating Target File In this step, we create a text file containing the IP addresses of all hosts where SMB signing was not enforced. ```bash:Target nano targets.txt ``` {"Target"}/

# Step3: Changing Configuration of Responder Tool Responder is an excellent tool for intercepting network traffic. In an SMB relay attack, we use Responder to relay and send the intercepted credentials to another tool called smbrelayx.py. To facilitate this process, we need to modify Responder's configuration by disabling SMB and HTTP protocols. We can accomplish this with the following command: ```bash:Config sudo mousepad /etc/responder/Responder.conf ``` {"Config"}/

# Step4: Setting Up Responder: Responder is a powerful tool used for capturing and analyzing network traffic, particularly in local area networks. It acts as a listener for various protocols and can respond to NetBIOS, LLMNR, and mDNS requests, allowing it to capture NTLM hashes, plaintext credentials, and other sensitive information from clients in the network. To set up Responder, we use the command: ```bash:Config sudo responder -I wlan0 -vdw ``` -I :interface -v :being verbose and give detailed info -w :Wpad -d :This switch in the responder command enables the detection and response to LLMNR (Link-Local Multicast Name Resolution) requests. # Step5: NTLMrelayx.py Set up: Ntlmrelayx.py is a tool from the Impacket suite specifically designed to facilitate NTLM relay attacks. NTLM relay attacks exploit the way Windows handles NTLM (NT LAN Manager) authentication to intercept and forward authentication requests to another server, potentially allowing an attacker to gain unauthorized access. To set up NTLMrelayx.py, we use the command: ```bash:Config impacket-ntlmrelayx -tf Target.txt --smb2support ``` -tf : Target File, containing all the ip addresses of the hosts that their smb signing is not forced. --smb2support : this switch enables NTLMrelayx.py to handle SMB2 (Server Message Block version 2) protocol during the NTLM relay attack, allowing it to relay NTLM authentication requests for SMB2 connections as well as SMB1. This is important for compatibility with modern systems that primarily use SMB2 and SMB3 protocols. {"NTLMrelayx"}/

# Dumping Sam Hashes At the end, the client searches for a non-existent shared folder. When the client attempts to resolve the folder name, any typos or errors can trigger an LLMNR request. Our tool, responder, which is actively listening on the network, intercepts this request and responds as if it were the legitimate resource, prompting the client to authenticate. As a result of this interaction, we capture the NTLM hashes from the client's authentication attempt, which can lead to potential credential exploitation. By relaying the captured NTLMv2 hash to another system using ntlmrelayx.py, we gain access to sensitive resources. Importantly, this NTLMv2 hash belongs to the local administrator of the target system, enabling us to dump the SAM hashes and gain deeper access to the target environment.The following shows the dumped sam hashes. {"sam-hashes"}/

This demonstration underscores the critical need for robust security measures in network configurations. By understanding how seemingly innocuous actions—like searching for a shared folder—can lead to significant vulnerabilities, organizations can better protect themselves against potential attacks that exploit weaknesses in authentication protocols.

Practical SMB Relay Attack