Time is never on your side when you’re onsite with a client and trying to get the first good foothold, with admin privileges, can seem impossible. However, some things seem to work more often than others. One of my current, favorite methods to jump start my access in a network is to use an SMB relay. SMB relays can help attackers move through a network as they escalate their privileges at the same time. What’s not to like about gaining admin access to a server when all you have is a normal user account? Technically, you don’t need to even have an account yet, just your attack host connected to the network.
This attack vector isn’t new, but it is still so very effective; mainly because very few organizations have implemented any methods to protect against it. Admittedly, some of these protections tend to be impractical in most Windows environments. In addition, there are multiple tools and utilities out there that can be used to initiate this attack. Examples include Kevin Robertson’s Inveigh-Relay (https://github.com/Kevin-Robertson/Inveigh), Laurent Gaffie’s MultiRelay (https://github.com/lgandx/Responder), and Core Security’s Impacket (https://github.com/CoreSecurity/impacket).
So let’s dig into the SMB relay: see how it works, what can be done to protect against it, and how to detect if it has been used against you.
How Does It Work?
Similar to a Pass-the-Hash attack, the SMB relay exploits the challenge/response methodology of NTLM based authentication. Unlike most PTH attacks, where an attacker gathers the password hash of an account and tries to use it later, the SMB relay does its work as the authentication process is occuring. This is the real beauty, because it means that these attacks bypass multi-factor authentication requirements and will work with NTLMv2.
Here’s a quick high-level description of how NTLM authentication works.
