SMB Relay Attack
In the last active directory attacks, we use Responder to capture LLMNR responses that contain the username and NetNTLMv2 Hash which can be cracked to get access to the system.
In this topic, we use the same tool Responder and we also use some other tools and configuration changes of Responder to perform the SMB Relay attack. Before talking about the SMB Relay attack we first need to understand what is SMB.
What is SMB?
SMB stands for Server Message Block and that is a network protocol that allows us to share files, printers, and other resources over a network. Originally IBM developed it but later on, Microsoft adopted it in the replacement of NetBIOS. NetBIOS has the same functionality as SMB but SMB replaced it because they are much better and has encryption functionality that encrypts network traffic so the later version of Windows uses SMB as the default way of file sharing and other stuff. One thing I should mention here is SMB is not only used in Windows, but Linux also has its own version of SMB and they are called Samba.
SMB uses port 445 by default and if we use Nmap to scan the targets and see if this port is open so that we can list its shares using a tool like smbclient in linux. The syntax to list the active shares are following.
Where:
-Lis used to specify list the of shares\\192.168.10.45\\is the actual address of the target server.
Note: The double slashes
\\are used here because of the syntax but sometimes you get errors in the linux system so you have to replace it with//. You may see some syntax that contains four slashed i.e.\\\\they are also valid. Because\is an escape character also why they use four slashes that after combining becomes two slashes//.
After using the above command with double slashes or tetra(four) slashes you will see the output something like the following.
There you see some default shares of SMB. In which ADMIN$ is an Administrator share that can only be accessed by the Local Administrator account. If you are an admin user then you can connect to this share using the following command
They prompt you for an Administrator username and password after providing that you will get access to this share in which you see all the content of the C:\ drive and if you don't know they are the root directory of the Windows system.
If we see from the attacker's point of view that they get access to this share then we are doomed because not only do they get the Remote Code Execution(RCE) in the system but also they can see the file content that contains the username and password hashes like /etc/shadow the file in the linux system.
What is SMB Relay?
Now we know a little about the SMB protocol and its uses and considerations, let's talk about the SMB relay attack. In the SMB Relay attack, we leverage the Responder tool, similar to our previous topic on LLMNR Poisoning. However, in this case, our objective is different. Instead of cracking the captured authentication credentials, we utilize them to relay (forward) the message to the SMB server, pretending to be the user who initiated the authentication request. This impersonation allows us to exploit any access privileges associated with that user, potentially gaining unauthorized access to shared resources and exfiltrating sensitive data.
Remember I said above that Administrator users have full access to the ADMIN$ share and if we impersonate him we can not only get RCE but also get the user's password NTLM hashes. Simple Huh?
No, it's not that simple because if an attacker gets command execution, gets the user's hashes, and exfiltrates data then who uses it and where is the security, that replaced him in the first place? So to perform a successful SMB Relay attack we should have some requirements to be met.
The requirements to perform a successful SMB relay attack are:
Ability to Intercept Network Connection: You should have the capability to intercept the network traffic that contains the SMB credentials. This can be achieved by being positioned on the same network segment or through other means of network interception.
Use of NTLM Authentication: The target system should allow connections using the NTLM authentication method instead of Kerberos. This is important because SMB relay attacks rely on intercepting and relaying NTLM authentication requests.
Disabled SMB Signing: SMB signing, which ensures the integrity of SMB packets, should be disabled on the target system. Disabling SMB signing allows the attacker to manipulate and forward the SMB traffic without detection.
Targeting Administrator User Credentials: For the purpose of exfiltrating user hashes or achieving remote code execution, the relayed credentials should belong to Administrator-level users. Administrator users typically have higher privileges and access to critical resources.
These are the requirements that we need to perform the successful SMB Relay Attack. Now let's look into him and learn more about it.
Using
Responderwe can intercept the traffic but this time we only want to intercept connects, not to respond to his requests so we have to make some changes in theResponderconfigurations.To do that first open the responder configuration file using any text editor tool of your choice. The Kali-based version of the
Respondertool config file lies in the/usr/share/responder.confpath.Open it and change the following method set to
OFF
Python-basedUsing that Responder just listening for connection but will not respond to any of these requests.
As the responder will not respond to the connections, now we use another tool that relays the traffic, we use the tool name
ntlmrelayx.pythat came with theimpacketpython-based project that we use much more in Active Directory Exploitation.
The syntax of ntlmrelayx.py are following.
Where:
-tfis used to specify the target file name. In the target file, you can specify the targets by hostnames or full URLs one per line.-smb2supportis used to enable smb2 support, this is useful when we want to relay authentication requests to the smbv2 server.
You may be asked what they do.
Using the above command the ntlmrelayx.py script runs its own smb server in which victims connect it's like a middleman that gets the authentication credentials from the responder and then tricks the target smb server by giving that captured credentials. That ntlmrelayx smb server only gets the connection to those hosts that are mentioned in the target.txt file. The target can be only IP addresses, hostnames, and full domain URLs. When they capture any request they relay it back to the original smb server on behalf of us and exfiltrate SAM file data that contains the user's password hashes for us.
Note: As I said before to get any success in this attack the target smb signing should be disabled. You can know if the smb signing is disabled or not from the Nmap common script scan. In the Nmap report, you should see a message something like the following.
If you see any of the above-mentioned messages and the other above-mentioned requirements are met then you are eligible to perform this attack otherwise don't blindly test this attack.
You see one message says it is disabled so we can exploit it but how we can exploit the enabled one? the answer lies in the not required text. That means they have enabled signing but if the request is not signed then they also accept that because signing is not forced.
Summarize
Let's summarize all that we learn so far in this one section. Here I will only show commands and only write what that step doing so I will not explain it for that just read above.
Setting up responder
Running Responder
Running ntlmrelayx.py for capturing hashes
Note: That
targets.txtContains the IP address or full domain URL of the target machine we are attacking.
Running ntlmrelayx.py for Interactive shell
Note: I'm assuming your responder still running in the background or in another tab.
Where:
-iis used to start an interactive smb shell that will run locally and can access using a tool like netcat.
Running ntlmrelayx.py for executing system command
Where:
-cis used to run system commands on the machine.
Running ntlmrelayx.py to execute a binary
Where:
-eis used to execute binary located in the attacker machine directory that will run on the target machine.
SMB Credentials to get a reverse shell
The above command shows us the way if we can relay Admin credentials to the SMB server then we can get command execution on the system. Now I want to add one more thing in there if we have the Administrator user's credentials, we can also get the Reverse shell. To do that we again use Impacket tool scripts i.e. smbexec.py, wmiexec.py, and psexec.py etc. These are the scripts that can be used to get Reverse Shell using Administrator Credentials.
You may be asked now if we have administrator credentials why don't we just login to its account?
You can login using that but what if they have different passwords for SMB shares and different for Remote Desktop Protocol(RDP) or ssh? if that is the case then you can use this his shared credentials to get Command Execution with his account without knowing its main credentials.
The commands are like the following.
smbexec.py
Where:
example.comis the Active Directory Domain name that can be found using the Nmap scan.username:passwordis the username and password of the user who has the Administrator privileges.target-ip-addressis the IP Address of the server or computer.
wmiexec.py
psexec.py
Note: This thing only gives us the shell if the user has the Administrator privileges i.e. that can read ADMIN$ share.
Metasploit Framework also has the above-mentioned tools or similar tools that can also be used.
Last updated