sanskytech
🎩 Hack
Published on 25th of September 2024

Practical SMB Relay Attack

Paniz
Paniz HeidariPentester
cover
    Reading Time : 3 Min
    Description

    The SMB relay attack is a significant vulnerability in the Server Message Block protocol, enabling attackers to intercept and relay authentication requests in Active Directory environments, leading to unauthorized access to sensitive resources when SMB signing protections are absent

    SMB Relay Attack

    SMB relay attacks pose a significant threat to Active Directory environments by exploiting vulnerabilities in the SMB protocol. In this blog, we'll outline the step-by-step process of executing an SMB relay attack using a setup of two client systems and a Domain Controller (DC), demonstrating how attackers can intercept and relay authentication requests to gain unauthorized access.

    Step1: Identifying Hosts Without Enforced SMB Signing

    BashNmap
    nmap --script=smb2-security-mode.nse -p 445 192.168.1.0/24 -Pn

    smb2-seccurity-mode.nse

    script that helps to identify the hosts without forced SMB signing

    nse files : nmap scripting engine

    -p 445

    port

    192.168.1.0/24 : we are scanning every device within the 192.168.1.0/24 subnet, which includes all IP addresses from 192.168.1.1 to 192.168.1.254.

    -Pn : When using Nmap to scan hosts, the tool first sends a ping to check if they are online. If a host doesn’t respond, Nmap assumes it’s offline, which can cause us to miss scanning some targets. Some systems may ignore ping requests to appear offline intentionally, gaining an advantage by avoiding detection during scans and reducing the risk of attacks. To prevent this issue, we used the -Pn option, which tells Nmap to assume all hosts are online, skipping the ping step.

    What is Nmap Scripting Engine (NSE)

    The Nmap Scripting Engine (NSE) is a powerful feature of Nmap that allows users to write and execute scripts for automated network scanning tasks. It enhances Nmap's capabilities by providing a framework for custom scripts to perform advanced functions such as vulnerability detection, service discovery, and network exploitation. NSE scripts are written in Lua, enabling flexibility and extensibility in network assessments.These scripts are located in the directory /usr/share/nmap/scripts.

    We can also view the various NSE scripts related to SMB available in the Nmap tool by using the following command:

    BashNSE
    ls /usr/share/nmap/scripts | grep -E "smb|version"

    grep : Used for searching for a specific word or pattern in text files.

    -E

    the use of extended regular expressions for more complex pattern matching.

    Step2: Creating Target File

    In this step, we create a text file containing the IP addresses of all hosts where SMB signing was not enforced.

    BashTarget
    nano targets.txt

    Step3: Changing Configuration of Responder Tool

    Responder is an excellent tool for intercepting network traffic. In an SMB relay attack, we use Responder to relay and send the intercepted credentials to another tool called smbrelayx.py. To facilitate this process, we need to modify Responder's configuration by disabling SMB and HTTP protocols. We can accomplish this with the following command:

    BashConfig
    sudo mousepad /etc/responder/Responder.conf

    Step4: Setting Up Responder:

    Responder is a powerful tool used for capturing and analyzing network traffic, particularly in local area networks. It acts as a listener for various protocols and can respond to NetBIOS, LLMNR, and mDNS requests, allowing it to capture NTLM hashes, plaintext credentials, and other sensitive information from clients in the network. To set up Responder, we use the command:

    BashConfig
    sudo responder -I wlan0 -vdw

    -I

    -v

    verbose and give detailed info -w
    -d
    switch in the responder command enables the detection and response to LLMNR (Link-Local Multicast Name Resolution) requests.

    Step5: NTLMrelayx.py Set up:

    Ntlmrelayx.py is a tool from the Impacket suite specifically designed to facilitate NTLM relay attacks. NTLM relay attacks exploit the way Windows handles NTLM (NT LAN Manager) authentication to intercept and forward authentication requests to another server, potentially allowing an attacker to gain unauthorized access.

    To set up NTLMrelayx.py, we use the command:

    BashConfig
    impacket-ntlmrelayx -tf Target.txt --smb2support

    -tf : Target File, containing all the ip addresses of the hosts that their smb signing is not forced.

    --smb2support : this switch enables NTLMrelayx.py to handle SMB2 (Server Message Block version 2) protocol during the NTLM relay attack, allowing it to relay NTLM authentication requests for SMB2 connections as well as SMB1. This is important for compatibility with modern systems that primarily use SMB2 and SMB3 protocols.

    Dumping Sam Hashes

    At the end, the client searches for a non-existent shared folder. When the client attempts to resolve the folder name, any typos or errors can trigger an LLMNR request. Our tool, responder, which is actively listening on the network, intercepts this request and responds as if it were the legitimate resource, prompting the client to authenticate.

    As a result of this interaction, we capture the NTLM hashes from the client's authentication attempt, which can lead to potential credential exploitation. By relaying the captured NTLMv2 hash to another system using ntlmrelayx.py, we gain access to sensitive resources. Importantly, this NTLMv2 hash belongs to the local administrator of the target system, enabling us to dump the SAM hashes and gain deeper access to the target environment.The following shows the dumped sam hashes.

    This demonstration underscores the critical need for robust security measures in network configurations. By understanding how seemingly innocuous actions—like searching for a shared folder—can lead to significant vulnerabilities, organizations can better protect themselves against potential attacks that exploit weaknesses in authentication protocols.