SMB relay attacks can be a lot of fun on internal penetration tests. Defenders will often attempt to scan and patch systems aggressively when the penetration testers show up “They wont be able to hack us if we scan and patch!”. The fun part is we can use that against them 🙂
Caveat: This attack can work with any vulnerability scanner, or anything spraying creds across the network even an admin script (assuming SMB signing is not enabled).
This blog post will demonstrate how a vulnerability scanner like Nessus will attempt to scan a network range and authenticate to systems (Windows will attempt authentication over SMB). Attackers can misuse this by creating a malicious SMB server that will relay the authentication between the server and the victim. The best part is vulnerability scanners commonly authenticate to systems with administrative privileges. The diagram below demonstrates this attack at a high-level:
Nessus is commonly deployed in an enterprise environment on a server that scans clients for vulnerabilities while leveraging potentially domain or local administrative credentials. We configured Nessus on our server (.102) and set administrative credentials for authentication to scan the windows client for vulnerabilities.
Before starting our authenticated Nessus scan we set our multi-handler, smbrelayx.py and msfvenom payload to get ready for the attack. Once the multi-handler was listening and the smbrelayx script was running, we started our Nessus scan against the target network. As a result during the scan the smbrelayx.py script was successful in intercepting the credentials and relayed them over to access the windows client, find a writable share and upload our payload with meterpreter shell access.
To prevent this attack you can enable SMB signing, but an attacker could still gather the Net-NTLMv2 password hash (can not pass the hash, you must crack), and nobody likes enabling SMB signing ><.