The SMB Relay attack involves an attacker (A) selecting a target (T) and waiting for a machine (S) to attempt authentication with them.
The attacker then relays this attempt to the target, which generates a challenge sent back to the attacker.
The attacker forwards this challenge to the original machine (S), which encrypts the challenge with its password hash and sends it back to the attacker.
The attacker then sends this encrypted challenge to the target, successfully impersonating the original machine and gaining unauthorized access.
This attack can be attempted if LLMNR poisoning fails, but it requires SMB signing to be disabled or not enforced, and the user must be a local administrator on the target machine.
To execute an SMB Relay attack, first check if SMB signing is enabled on the device using the command nmap --script=smb2-security-mode.nse -p445 10.0.0.25.
Next, configure the responder by setting HTTP - SMB = off in the Responder config file, ensuring you relay the hashes rather than just cracking them.
Run the responder with python Responder.py -I tun0 -rdwv and then execute ntlmrelayx -tf targets.txt -smb2support with a list of hosts that have SMB disabled.
When the responder obtains the SAM file, it will forward it to ntlmrelayx, which will then relay it to the selected target.
The victim may need to access the attacker's IP, leading to the SAM file being dumped. Using the hash, the attacker can access the target machine.
Adding the -i option to ntlmrelayx allows for an interactive shell to execute commands and add users for persistence.
Summary:
- The SMB Relay attack allows an attacker to impersonate a machine by relaying authentication attempts, exploiting disabled or unenforced
SMBsigning, and requiring local administrator access on the target. - The attack involves checking for
SMBsigning, configuring Responder, and usingntlmrelayxto relay and dump authentication hashes for unauthorized access.