What is SMB Relay ?

Instead of Cracking hashes gathered with Responder we can instead relaty those hashes to specifc machines and potentially gain access.So we dont really crack them.

Requirements

So SMB Signing must be disabled on target .This is a packet level protocol so when we try to relay these packets it will tell us hey you are not that person and wont allow us to do anything.

Relayed user credentials must be admin on machine.This has to be on two diffrent machine.So we can target maybe a local administrator for something like this .So for this we will first Run Responder but with SMB and HTTP off. We just use this to capture and not send anything.

and then we run the responder tool .And then we use a tool called ntlmrelayx.py to set up your relay.This takes a relay and pases it to a target file.So now we just wait for an event to happen and it can be the same event as before like wrong ip or something and then it will relay these credentials to the other machine and boom we are in.Only if this user is admin on the other machine .In this we will dump something called SAM hashes this basically like etc/shadow equivelant for windows basically.And this will be hashes for usernames and passwords of local users and we can take these hashes offline and crack them or tansfer them to another machine.

Defence

Enable SMB Signing on all devices →

Pro: Completely stops the attack

Cons: Can cause performance issues with file copies (15% or so)

Disable NTLM authentication on network →

Pro: Completly stops the attack

Cons: If Kereberos stops working Windows defaults back to NTLM.

Account tiering →

Pro: Limits domain admins to specific tasks.

Cons : Enforcing the policy may be difficult.

Local admin restriction→

Pro : Can prevent a lot of lateral movement

Con : Potential increase in the amount of service desk tickets.