SMB Relay
SMB Relay through Impacket Responder and NTLMNrelayx
Prerequisites
SMB Signing
SMB Signing is enabled but not required (disabled) on Windows workstations and enabled and required on Windows Servers by default.
Nmap - SMB Security Mode Discovery
There are two nmap scripts for SMB message signing mode detection, one for SMBv1 and for SMBv2 we are going to use.
nmap --script smb2-security-mode
Copy all targets (IPs/hostnames) into targets.txt.
Admin Account
A user has to be admin on the relayed machine (You can't do SMB relay without an admin account).
Responder
Modify Responder.conf
Disable these options
SMB = Off
HTTP = Off
Start Responder
NTLMN RelayX
The Relay server starts SMB and HTTP server (that's why they are disabled in the responder).
User Interaction
Now a user needs to address SMB folder
Last updated
Was this helpful?