<aside> 📌 Summary
</aside>
SMB relay is an attack where an attacker intercepts and relays Server Message Block (SMB) authentication requests between two systems. The attacker tricks the target into authenticating with the attacker-controlled system, gaining unauthorized access. The attack exploits weak SMB security settings, allowing the attacker to access sensitive data, execute commands, and propagate through the network.
For this attack to be really interesting, we need to capture the credentials of an administrator on another target machine. Moreover, if the SMB requires signing, we will not be able to usurp the identity of the credential. Then we need the target to have SMB signing disabled or not enforced.
When we get a network, we can scan it with a script to find out the machines without SMB signing enforced.
nmap --script=smb2-security-mode.nse -p 445 192.168.149.0/24 -Pn
<aside> 💡 Note: In our case, the ORB-DC have SMB signing enforced. This is the normal behaviour for a Domain Controller, but if it isn’t the case… Smile because the penetration test might go fast.
</aside>
<aside> 🔥 Find more about default responder configuration and behaviour in MITM with Responder
</aside>
This time we’ll need to modify a little the Responder configuration. You’ll need to go down /etc/responder/Responder.conf to disable HTTP server and SMB server like below
And now we can start again https://github.com/lgandx/Responder as before and verify that those two are indeed Off.
responder -I ens33 -dwPv
