Open in app

Sign in

Write

Sign in

Defend or surrender: SMB Relay Attacks with Responder in Focus

Jinendar Kothari
7 min readSep 4, 2023

--

Greeting fellow readers. In today’s blog post, we delve into a critical juncture faced by organizations worldwide: the choice between defending their networks against the relentless tide of threats or surrendering to the insidious tactics of attackers.

We will learn about a devious technique known as SMB Relay Attack, executed with the aid of a potent tool called “Responder.”

This attack has the potential to compromise network security, but it also present an opportunity for defenders to rise to the occasion and fortify their cyber defenses.

Introduction

SMB, which stands for Server Message Block, is a network communication protocol used for sharing files, printers, and various resources between computers on a network.

It was developed by IBM in the 1980s and later adopted and extended by Microsoft, becoming a fundamental component of Windows operating systems.

However, over the years, SMB has had its fair share of security vulnerabilities and issues like Password Hash Vulnerabilities, SMB1 vulnerabilities, Eternal Blue etc.

SMB (Server Message Block) remains vulnerable in networks due to legacy systems running outdated SMB versions and lax security practices, leaving openings for attackers to exploit known vulnerabilities and perform unauthorized actions.

SMB Relay Attack

Let’s consider a scenario

Imagine you have a security guard (the attacker) trying to get into a high-security building (the server) where only authorized people (the clients) are allowed. The security guard tricks one of the authorized people into handing them their ID card (the authentication request) and then rushes to the building entrance. They use the stolen ID card to pretend they’re the authorized person and gain access to the building.

Once inside, this sneaky security guard might use their newfound access to do bad things or get to sensitive areas they shouldn’t be allowed to enter. Essentially, they’ve pretended to be someone else to get into the secure place and cause trouble.

An SMB (Server Message Block) relay attack is a type of a network attack that exploits vulnerabilities in the SMB protocol.

The SMB Relay attack exploits the NTLM challenge-response protocol, which is commonly employed for both encryption and authentication within SMB sessions, known as NTLM over SMB.

The main goal of an SMB relay attack is to intercept authentication attempts between a client and a server and relay them to gain unauthorized access to the target server or system.

Here’s how an SMB relay attack works:

  1. Initial Compromise: The attacker gains access to a target network or system through various means, such as phishing, exploiting software vulnerabilities, or using stolen credentials.
  2. Packet Capture: Once inside the network, the attacker captures SMB traffic, which includes authentication requests and responses between clients and servers. These authentication attempts may involve NTLM (NT LAN Manager) or NTLMv2 credentials.
  3. Relaying the Authentication: The attacker relays these captured authentication requests to another networked machine, often a server or a different client, effectively impersonating the original client.
  4. Gaining Unauthorized Access: If the second machine accepts the relayed authentication, the attacker gains unauthorized access to that system or its resources, depending on the privileges of the authenticated user. This can lead to data theft, privilege escalation, and further compromise of the network.

To perform this attack, hosts should have SMB signing enabled.

What is SMB signing ?

SMB signing verifies the origin and authenticity of SMB packets. Effectively this stops MiTM SMB relay attacks from being successful. If this is enabled and required on a machine we will not be able to perform a successful SMB relay attack.

Systems that are vulnerable to this attack have SMB signing configured to the following:

  • SMB Signing enabled but not required
  • SMB Signing disabled

Systems that are not vulnerable to this attack have SMB signing configured to the following:

  • SMB signing enabled and required

Power of Responder : Potent Network Analysis Tool

Responder is a network analysis tool primarily used for capturing and analyzing network traffic. Developed by Laurent Gaffié, it is an open-source Python script designed to exploit vulnerabilities in various network protocols and services. Responder’s main goal is to intercept and respond to specific network requests, primarily targeting Windows systems.

IMG: Responder

Responder operates by tricking devices on a local network into sending authentication requests to it. It does this by responding to certain network protocols such as LLMNR (Link-Local Multicast Name Resolution) and NBT-NS (NetBIOS Name Service), both of which are used in Windows environments.

Responder comes pre-installed in Kali Linux & you can also download it from here -> https://github.com/SpiderLabs/Responder

Demonstration

To perform SMB relay attack, we need to discover host with SMB signing Enabled.

The target machine and network used to demonstrate the attack is an Active Directory Home lab setup.

Step-1: Discovering Host with SMB signing enabled

there are different ways to discover hosts. We can use several tools like Nessus, Nmap or smbcheck(From Github).

We will use Nmap in this demonstration.

nmap  —script=smb2-security-mode.nse -p 445 <IP-address>/<subnet>
IMG: Nmap Output

We will create a target.txt file and enter all the vulnerable IPs in that text file.

This target file will be used when we will setup our relay.

Step-2: Editing Responder Configuration file

In order to perform the attack, we need to OFF the SMB and HTTP options.

the config file Responder.conf is located in /usr/share/responder .

gedit Responder.conf
IMG: Editing responder.conf file

Step-3: Firing up the responder

sudo responder -I eth0 -dw

we use the -I option to specify the interface on which we can access the network.

IMG: Responder with updated configuration

As we can see from above image, The HTTP and SMB options are turned off .

Step-4: Setup your relay

To setup our relay, we will use ntlmrelayx.py from Impacket.

Now the target file we saved in step-1 will be used here.

sudo ntlmrelayx.py -tf target.txt -smb2support
IMG: ntlmrelayx.py

Step-5: Triggering an event

Now we will trigger an event in the target machine.

IMG: Event

step-6: Relaying credentials

As soon as an event is triggered, the dynamic duo of Responder and ntlmrelayx spring into action, relaying the credentials over smb.

Now we can see that SAM file is dumped by the tool.

The SAM file, which stands for Security Account Manager file, is a critical component of Windows operating systems. It stores password hashes for local user accounts on a Windows computer.

In other words, it contains the encrypted representations of user passwords.

Now we can crack those hashes via Hashcat.

We know that sometimes hashes could take an eternity to crack.

Instead of dumping the SAM file, We can directly get an interactive Shell with ntlmrelayx.

We will be getting a shell with ntlmrelayx.

Getting Interactive Shell with ntlmrelayx

To get an interactive shell, we simply just have to add -i option to the command in step-4 for interactive mode.

sudo ntlmrelayx.py -smb2support -tf target.txt -i
IMG: interactive Shell

Mitigation

SMB relay attacks can be particularly dangerous because they can allow attackers to move laterally through a network, potentially compromising multiple systems.

The attack takes advantage of the trust established between machines in the network, exploiting weaknesses in the authentication process.

To defend against SMB relay attacks, it’s essential to implement strong network security measures, such as:

  1. Use SMB Signing: Enabling SMB signing helps ensure the integrity of SMB messages and can prevent attackers from relaying authentication requests.
  2. Implement Network Segmentation: Isolating critical network segments can limit the lateral movement of attackers if they gain access.
  3. Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS): These security tools can help detect and block suspicious SMB traffic patterns.
  4. Regular Patching: Keeping systems and software up to date can help mitigate vulnerabilities that attackers might exploit.
  5. Credential Hygiene: Promote strong password policies, use multi-factor authentication (MFA), and limit user privileges to reduce the impact of successful attacks.

Conclusion

As we conclude this blog, one thing becomes abundantly clear: the choice between defense and surrender is in your hands.

While the threats are real, so too are the defenses. Armed with knowledge and fortified by proactive measures, you can staunchly defend your network against the poison of attackers.

Remember, cybersecurity is an ongoing commitment, and staying ahead requires continuous vigilance, patching, and best practices.

If you’ve found value in this blog post, expressing your support with a “clap” would be greatly appreciated.

Additionally, if you’re keen on furthering your cybersecurity knowledge, consider following me for more insights and learning opportunities.

Cybersecurity
Windows
Active Directory
Network Security
Learning

--

--

Jinendar Kothari
Jinendar Kothari

Written by Jinendar Kothari

43 Followers
7 Following

PJPT | eWPTv2 | eJPTv2 | C3SA

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams