Thursday, 4 February 2021

Capturing local SAM hashes via SMB relay attack

 What is an SMB relay attack

An SMB relay attack is similar to an LLMNR Poison in that it relies on a user connecting to a none existent network share only instead of stopping at just capturing the hash, the hash is relayed to another machine on the network and used to log in and then dump the local SAM file. When a user enters the IP address of a machine that does not exist on the network it sends out a multicast asking other computers if they know who has the IP address. Our listener replies to that request saying that we know the address and thus gets sent the requesting users hash to pass it on for them. The reason this works so frequently is that by default SMB does not perform Message signing on workstations. IE: It is not checking that the user requesting the share actually belongs on the domain. By default message signing is turned on for servers. By default it is either not turned on for workstations or is on but not required. 

In order for the attack to work the user we must be a local admin on both machines. The machine requesting the file share and also the machine that we are relaying the hash to and logging in. I have gone ahead and made ecartman(What could possibly go wrong?) a member of the Administrators group on both machines

 

  Configuring Responder

Because we have to relay the hash instead of just capturing it responder needs to have both the SMB server turned off and HTTP turned off. Edit the responder config file in /etc/responder/Responder.conf and turn off SMB and HTTP and then start responder with sudo responder -I eth0 -rdw -v
 
 

Responder should now look like this:


Scan for IP address with SMB Message Signing turned off

 
nmap comes with a script for checking message signing called smb2-security-mode.nse. Scan the subnet using this script and add the IP addresses that do not use message signing into a target folder. sudo nmap -p445, 139 --script=smb2 security-mode.nse -T4 192.168.1.0/24
 

 

Setup the relay script

The tool used for relaying the hash is called ntlmrelayx.py. Run it with your target file and smb2support sudo ntlmrelayx.py -tf targets.txt -smb2support
 
 

 
 

Capturing the hash, relaying it and dumping the local SAM file

 
Request a share that does not exist using an admin account.
 
 
 

Local SAM file of our target dumped :)  

Notice how the script checks if Remote Registry is enabled and if not, enables it, dumps the SAM and then re-disables it.
 

 

Relay Attack to Shell

Additionally, gaining a remote shell via this attack is as easy as adding a -i switch to the end of our ntlmrelayx command




Prevention

  • Enable SMB Signing on all devices. This can be done via Group Policy
  • Disable NTLM authentication on the network. Use Kerberos instead.
  • Limit Domain Admins to specific task 

 

 

 

Posted by at
Labels:

1 comment:

  1. RiseSEO Company24 August 2022 at 22:37

    I am always searching online for articles that can help me. There is obviously a lot to know about this. I think you made some good points in Features also. Keep working, great job, anticaptcha

    ReplyDelete

Subscribe to: Post Comments (Atom)