Effective NTLM / SMB Relaying
SMB Relay has been around for a long while. I even have a post about using it along with LNK files here:
Here is the problem though. Most of the tools to exploit it either catch the authentication in NTLMv2/NTLMv1 (which is not always easy to crack) or assume administrative access (because they attempt to PSEXEC with the incoming session). Well, since MS08-068 thats much harder to pin down. You have to know who is going to hit your relay server and what other location they might be an admin on. You also have to a service you want to run on that target.
- SpiderLabs Responder
- SMBRelayX in Impacket
- HTTP NTLM Relay Metasploit Module
- SMB Relay PSExec Metasploit Module
- Oracle SMB Relay Metasploit Module
- SAP SMB Relay Metasploit Module
“Soft” relay tools:
Now, some would argue that you just spin up the relay at a target then leave it until one pops. I’m not really a fan of that. You will not only be creating multiple access attempt log entries, but you are also just throwing away all of those user authentication attempts. There are 3 tools that agree with me.
- Squirtle * Squirtle is awesome plus it’s written in a language I understand (ruby) but it has one serious downfall, many of the post-auth features are left up to the user to develop. It does have a great API but needs some coding to get to do certain things.
- Intercepter-NG * I have tested Interceptre-NG out a lot and it has some fantastic features, not to mention that it does relaying on a Windows host, which is impressive all by itself (due to 445 default bind). My only problem with it is that it’s closed source. But definitely recommended.
The 3rd is a tool called “ZackAttack” by Zack Fasel, you can find it here on Github:ZackAttack. You can find the video of the talk releasing this tool on Youtube. So what is so special about this tool? Other than the fact that most of the web interface is broken horribly it has this amazing bit of code that acts as a SOCKS proxy. This SOCKS proxy identifies SMB or HTTP traffic that has NTLM authentication going on and rewrites it based on captured sessions.
What does this mean? If I use SpiderLab’s Responder, for instance, to spoof/get/fake a bunch of users into connecting to my machine via automatic or forced methods to the capture/keep services that ZackAttack spins up, I can then run smbclient or Outlook or Web browser, push it through the ZackAttack SOCKS proxy, pick a username out of the captured names, and use any password I want when asked, and the SOCKS proxy will automatically replace it en route with the valid session information.
This way I can use every authentication that comes in to its highest potential for pwnage. The video below shows how this can be used to connect to a “Network share”
Update: One thing to mention that ZackAttack does that I haven’t seen other tools do, even Squirtle or Intercepter-NG is getting 3+ successful authentications out of a single relay from a user. ZackAttack does this with some clever HTTP Keep-Alive and SMB “reauth” kung fu.
- 2014-02 SpiderLabs - Responder 2.0 Owning Windows Networks Part 3
- 2014-01 NetSPI Blog - SMB Attacks Through Directory Traversal
- 2013-06 Ares - SMB Hijacking Kerberos is defeated
- 2013-04 SANS Pentesting Blog - SMB Relay Demystified and NTLMv2 Pwnage with Python
- 2013-01 Core Security Training Video - How To Perform a SMB Relay Attack
- 2013-01 Mark Gamache - NTLM Challenge Response is 100% Broken
- 2012-12 NetSPI Blog - Executing SMB Relay Attacks via SQL Server using Metasploit
- 2012-07 WebstersProdigy - Metasploit Generic NTLM Relay Module
- 2012-04 Ares - Actuality of SMBRelay in Modern Windows Networks
- 2011-01 Digital Security Research Group Blog - SMBRelay Bible
- 2009-07 Carnal0wnage - Metasploit Oracle TNSCMD SMBRelay Demo
- 2008-11 Ron Bowes - Preventing SMB Relay Attacks
- 2008-08 Kurt Grutzmacher at DEF CON 16 - NTLM is Dead!
- 2008-06 John Heasman - Stealing Password Hashes with Java and IE
- 2008-04 Eric Rachner: NTLM Relay Attacks - Released tool ‘scurvy’
- 2007-08 HD Moore and Valsmith - Tactical Exploitation
- 2004-12 (ARCHIVE.ORG) Jesse Burns at SySCAN - NTLM Authentication Unsafe
- 2002-01 Azbil SecurityFriday Ltd - ScoopLM
- 2001-03 @lantaCon - Reference from March 31 2001 talk
I tried finding all the original/semi original references about SMB (LM/NTLM) Relaying. If you have others please leave a comment below so I can add them to the list.