Persecure : my learning archive

SMB Relay Attack

One aspect of security is ensuring that your network doesn’t fall victim to attacks like SMB relay attacks. SMB (Server Message Block) is a network protocol that allows shared file and printer access between devices on a network. To enhance the security of SMB, you can enable SMB signing, which ensures the integrity and authenticity of data transfers. However, if SMB signing is enabled but not required, it can open up vulnerabilities.

Using Nmap to Check for SMB Signing Vulnerabilities

To perform this test, you’ll need to use the smb2-security-mode.nse script provided by Nmap. 

nmap --script=smb2-security-mode.nse -p445 192.168.18.47 -Pn

“Message signing enabled and required”: This result indicates that SMB signing is both enabled and required on the target machine. In this scenario, SMB relay attacks are not possible.

“Message signing enabled but not required“: This result suggests that while SMB signing is enabled, it is not required. This configuration creates a potential vulnerability, as it allows for SMB relay attacks to occur.

To address the machines with “Message signing enabled but not required,” you can create a ‘targets.txt’ file containing the IP addresses of these vulnerable machines.

Use Responder to listen for ongoing traffic in the network.

The Python Responder tool is like a digital trickster that listens in on network conversations and pretends to be something it’s not. It can be used for both legitimate network testing and potentially malicious activities.

https://github.com/SpiderLabs/Responder

Make sure to off the SMB and HTTP option in the Responder.conf file.

sudo mousepad /etc/responder/Responder.conf
sudo responder -I eth0 -dwPv

Then setup ntlmrelayx.py

NTLMRelayx is a security tool for exploiting NTLM authentication vulnerabilities in Windows networks. It intercepts and relays authentication requests, potentially allowing unauthorized access and malicious actions in compromised networks.

ntlmrelayx.py -tf targets.txt -smb2support

After the ntlmrelayx server has been initiated, it actively monitors network traffic. In the event that a user within the network logs in, the server has the capability to capture and potentially extract the authentication hashes associated with that user’s session. These captured hashes can be exploited for various malicious activities or further analysis.

Mitigations

  1. Enable SMB Signing: Require signed communication for data integrity.
  2. Strong Passwords: Encourage strong, unique passwords.
  3. Network Segmentation: Segregate and restrict SMB access.
  4. Patch and Update: Keep systems updated with security patches.
  5. Monitor Traffic: Use network monitoring and intrusion detection.
  6. Disable NTLM: Avoid NTLM where possible, use Kerberos.
  7. Access Control: Implement strict access controls.
  8. User Education: Train users on security awareness.
  9. Regular Scanning: Conduct periodic vulnerability assessments.

Create a website or blog at WordPress.com