SMB Signing

---

Unauthenticated:

Scan entire ranges:

sudo nmap -p 445 --script=smb-security-mode.nse <target-ip/range>

nxc smb <subnet> --gen-relay-list nosigning.txt

auth smb <subnet> 

Authenticated:

runas /netonly domain/user cmd.exe
powershell -ep bypass
. .\powerview.ps1

Dump computers and scan:

Get-DomainComputer -Properties dnshostname | Select-Object -ExpandProperty dnshostname | Out-File -FilePath computers.txt

nxc smb computers.txt --gen-relay-list <output_file>

auth smb computers.txt 

With bloodhound:

MATCH (n:Computer)
WHERE n.smbsigning = False
RETURN n

---

Where to?

• Authentication Coercion
• Relay Attacks