SMB Relay Attack

SMB is commonly used for sharing files, printers and communication between client and server. Before one can communicate with the other, the user will be required to authenticate themselves. This is simple access control.

Although this control can help protect those important files, it can also be manipulated to allow authentication attempts to be relayed and used to access systems. It can also be abused in order to collect password hashes. This is where SMB relay comes into play.

The attacker places themselves in the middle (MiTM) and relays the attempts. Once the end server has validated the credentials, the access is granted to the attacker instead of the user.

Let’s run through a scenario and use multiple tools in order to run an SMB relay attack.

• Attacker IP: 192.168.1.158
• User IP: 192.168.1.64
• SMB Share Server: 192.168.1.65

In this case, we know the IPs and shares but if you did need to scan the network, you could use the following:

NMAP

Nmap has an enumeration script which allows you to map out SMB shares.

nmap — script smb-enum-shares.nse -p445 <host>

sudo nmap -sU -sS — script smb-enum-shares.nse -p U:137,T:139 <host>

Metasploit

Metasploit has the SMB_EnumShares module which allows you to do a similar scan. This does require you to known the user’s credentials though as it often fails without them.

Just Windows

Windows Explorer can be used to find network shares. By mapping to the IP/Host, Explorer will list the available shares. You won’t need to know the credentials to view exposure shares. If they have enabled ‘Access based enumeration’, you will only be able to see folders the user has access to.