SMB/ NTLM Relay Attacks
Last updated
Last updated
The principle of NTLM authentication is as follows: First, the client tells the server that it wants to authenticate. The server then responds with a challenge, which is nothing more than a random string of characters. The client then encrypts this challenge with its secret (NT hash of its password), and sends the result back to the server.
Finally, the server performs the same operation with the password hash corresponding to the domain name and the user name wishing to authenticate. It then compares the result with the one sent by the client. If the comparison is valid, the client is authenticated on the server. This operation is possible because Windows stores the condensed (NT and LM) local and remote user passwords in the SAM (Security Account Manager) database.
The advantage of this exchange is that it enables authentication without disclosing the user’s password. This is known as zero-knowledge proof, which enables users to prove that they really do hold their secret without ever sharing it.
A relay attack is the act of intercepting information passing over a network and relaying it to a target, which is none other than the legitimate recipient of the information. The NTLM protocol carries out the challenge/response in clear text because the password hash is designed to protect this secret. It is therefore possible for a malicious user in a Man In The Middle position to intercept all the challenges/responses circulating on the network. So if an attacker intercepts a valid response and relays it to the target, he finds himself authenticated instead of the legitimate client.
A well-known protocol targeted by this type of attack is the SMB (samba) protocol. SMB is a file exchange protocol which natively supports NTLM authentication and which, by default (on SMBv1 and SMBv2) does not implement the signature, a protection against relay attacks. SMB signing is disabled by default on workstations but enabled on Servers by default.
To attack the network’s SMB services, we modify the configuration file of the Responder program so that it does not start its SMB server.
We can use Nmap to identify where SMB signing is disabled and make a targets.txt file
We can also use crackmapexec to automatically generate targets.txt file
Now, launch Responder
We’ll use the “ntlmrelayx” tool to relay challenges/responses between vulnerable SMB services and victim clients
As with the previous attack, following a user’s blunder (searching for a non-existent network location or a chrome search), a network link that is no longer resolved by the internal DNS or, if the audit allows, a link sent because of a phishing campaign; an LLMNR or NBT-NS request is sent to the network. Our Responder tool will proceed to poison it.
The challenge proposed by the server is relayed to the victim and its response to the server. If the response is validated by the target server, the session opening by Ntlmrelayx succeed and we see the SAM dump.
We can also get an interactive shell by adding -i in the end
Similarly, we can directly run commands as well
