# Lateral Movement via SMB Relaying This lab looks at a lateral movement technique abusing SMB protocol if SMB signing is disabled. SMB signing is a security mechanism that allows digitally signing SMB packets to enforce their authenticity and integrity - the client/server knows that the incoming SMB packets they are receiving are coming from a trusted source and that they have not been tampered with while in transit, preventing man in the middle type attacks. If SMB signing is disabled, howeverm packets can be intercepted/modified and/or relayed to another system, which is what this lab is about. ## Environment * 10.0.0.5 - attacker running Kali linux and smb relaying tool * 10.0.0.2 - victim1; their credentials will be relayed to victim2 * 10.0.0.6 - victim2; code runs on victim2 with victim1 credentials {% hint style="warning" %} Credentials from Victim1 must be for a local admin on Victim2 or be a member of Administrators/Domain Administrators group for this attack to work successfully. {% endhint %} Below is a simplified process of how this attack works: `10.0.0.2` -authenticates to-> `10.0.0.5` -relays to-> `10.0.0.6` executes code with victim1(10.0.0.2) credentials ## Execution One of the ways to check if SMB signing is `disabled` on an endpoint: {% code title="attacker\@kali" %} ```csharp nmap -p 445 10.0.0.6 -sS --script smb-security-mode.nse ``` {% endcode %} ![](/files/-LV2rbdfohiQhgVVp36v) Since we know that victim2\@10.0.0.6 has SMB signing disabled and is vulnerable to SMB relaying attack, let's create a simple HTML file that once opened will force the victim1 to authenticate to attacker's machine: {% code title="message.html" %} ```markup

holla good sir

``` {% endcode %} {% hint style="info" %} Any other forced authentication method will also work - follow below link for a list of techniques. {% endhint %} {% content-ref url="/pages/-LKByyrc1DYbnORq03RW" %} [Forced Authentication](/offensive-security/initial-access/t1187-forced-authentication.md) {% endcontent-ref %} ...at the same time, let's fire up SMBRelayx tool that will listen for incoming SMB authentication requests and will relay them to victim2\@10.0.0.6 and will attempt to execute a command `ipconfig`on the end host: {% code title="attacker\@kali" %} ``` smbrelayx.py -h 10.0.0.6 -c "ipconfig" ``` {% endcode %} {% hint style="info" %} Note that smbrelayx could be used with a `-e` switch that allows attacker to execute their payload file - say, a meterpreter executable. {% endhint %} Below is a gif showing the technique in action - on the left - `victim1@10.0.0.2` opening the malicious html we crafted earlier that forces it to attempt to authenticate to the attacker system (on the right). Once the authentication attempt comes in, it gets relayed to `victim2@10.0.0.6` and ipconfig gets executed: ![](/files/-LV0FHYzHLQArZq6xa8p) A stop frame from the above gif that highlights that the code execution indeed happend on 10.0.0.6: ![](/files/-LV0FEWFMv0_K8EdnwWC) ## Observations & Mitigation Smbrelayx.py leaves a pretty good footprint for defenders in Microsoft-Windows-Sysmon/Operational - the parent image is services.exe and the commandline has juicy details - note though that the commandline arguments are subject to forgery: ![](/files/-LV3S66ZH7xU8fHCuMMz) In order to mitigate this type of attack, the best way to do it is by implementing GPOs if possible by setting the policy **Microsoft network server: Digitally sign communications (always)** to `Enabled`: ![](/files/-LV2phm3OqrX7_iFMRDn) With the above change, trying to execute the same attack, we get `Signature is REQUIRED` errors message and lateral movement is prevented: ![](/files/-LV0FfwCtpKjz6sYRTCd) The same nmap scan we did earlier now also shows that the `message signing is required`: {% code title="attacker\@kali" %} ```csharp nmap -p 445 10.0.0.6 -sS --script smb-security-mode ``` {% endcode %} ![](/files/-LV2wJWDB7foo20sG8fO) ## References {% embed url="" %} {% embed url="" %} {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.ired.team/offensive-security/lateral-movement/lateral-movement-via-smb-relaying-by-abusing-lack-of-smb-signing.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.