# SMB Relay Attack

### Overview

In a nutshell, SMB relaying relies on having a valid encrypted challenge, once you have captured the hash (with a Man in the middle attack), you can relay it into another machine, and thus authenticate instead of the legitimate user (without having to crack the hash to extract the plain-text password). So, even if a strong password policy exists, there are other ways to gain access.

The attacker places himself in the middle and keeps listening, once a Client (victim) wants to access a certain server (Target), the attacker will capture the encrypted challenge and then relay it to the target, and thus, gains access to the target.

### Prerequisites

To carry out the SMB Relaying attack, there are two important points that should be checked :

* The client and server must have **SMB signing disabled, or enabled but not required**. SMB Signing eliminates man-in-the-middle attacks by digitally signing the packets so that the senders/receivers can confirm the identity of the other part of the exchange.
* The victim (client) must have **administrative rights** on the Target machine (the machine where will be relaying the client’s credentials to). Simply because the access that the attacker will have on the target machine is access to an Administrative share (that only administrators can access).
* LLMNR must be enabled to initially get the hash before relaying it.

### Steps

1. Create a list of machines that accept NTLM relay(**targets.txt**). These must have **SMB signing disabled**.
2. Start Responder and **disable SMB & HTTP** so Responder does **not steal credentials**.

   ```bash
   responder -I eth0 -rdw
   ```
3. Start **ntlmrelayx** which opens a **fake SMB + HTTP server.** It accepts NTLM authentication and relays it to real targets.

   ```bash
   impacket-ntlmrelayx -tf targets.txt -smb2support
   ```
4. Victim Triggers Name Resolution using `\share1`.
5. Responder instantly replies and poisons the victim. Victim **now believes the attacker's IP is the SMB server**.
6. The victim makes a SMB auth request to the attacker IP thinking its the SMB server. NTLM authentication begins.
7. For each target in `targets.txt`:
   * **ntlmrelayx** opens SMB session to target
   * Forwards victim’s **NEGOTIATE**
   * Receives challenge from target
   * Sends challenge to victim
   * Victim responds with NTLM response
   * **ntlmrelayx** forwards it to target
8. Depending on the victim's privileges, we can:
   * Dump SAM
   * Add local admin
   * Dump secrets
   * Execute commands
   * Pivot laterally
   * Full domain compromise (if DA)

### Attack Flow

<figure><img src="/files/8Ujlnr735x39hGGMUTaE" alt=""><figcaption></figcaption></figure>

### Mitigations

1. Enable SMB Signing.
2. Disable LLMND and NBT-NS.
3. Enable SPN target name validation.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gokulkarthik.gitbook.io/pentesting-checklist/windows-and-active-directory/initial-attack-vectors/smb-relay-attack.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.