The Story of SMB Relay Attack!
Through the Lens of LLMNR Poisoning
Ever been curious about SMB relay attacks and how they work? Let’s break it down in simpler terms.
SMB relay attacks operate on a clever concept called “pass the hash.” if you manage to find a hash and crack it using tools like hash cat, you can easily log in. However, what if your company has a crazy 21-character password policy, making hash cracking practically impossible?
Now, for this attack to work, there are some prerequisites. It relies on the default configurations of an Active Directory setup. Two crucial requirements are: first, SMB signing must be either disabled or not strictly required on the target, and second, the hashes being passed must belong to an administrator on the machine.
To understand this attack better, we need to know about local administrators and domain administrators as prerequisite knowledge. Also, what happens when DNS in the system fails to resolve a query within the domain. Then a protocol named LLMNR (Link Local Multicast Name Resolution) comes in, a technique that responds about the failed DNS request.
LLMNR is a protocol used in networks to resolve the names of neighboring computers. When a computer needs to resolve a host name to an IP address, it sends an LLMNR request to the local network. If the requested host name is not found in DNS, In simpler terms, it’s like having someone step in and answer the question when the usual system DNS fails to answer.
The attacker, positioned as a man-in-the-middle, intercepts this LLMNR request. Instead of allowing the request to reach its intended destination, the attacker responds to the requester with false information, pretending to be the requested device. This false response is accepted by the device and the attacker tricks the devices into revealing their hashes, and subsequently use these captured hashes
If the intercepted hash is easy to crack, an attacker can quickly brute force it and gain unauthorized access to the domain. This entire process, involving the capture of hashes by intercepting network requests, is known as an LLMNR Poisoning Attack, what if the captured hash proves to be resistant to crack, the attacker can still pass the hash along to extract additional information from the other computers.
Architectural Prerequisites for Understanding this Attack Better!
Allow me to detail the architecture for a clearer understanding. In my Active Directory (AD) setup, I’ve established a domain controller known as “SUMO-DC.” Within this domain, Additionally, I’ve created 2 user accounts named “Gangadhar Bethi” (gbethi@UNCC.local) and “Nikhil Pinnam” (npinnam@UNCC.local) and a Domain Administrator Account named “Administrator” (Administrator@UNCC.local)on my domain controller.
And I have two computers named ROWDY and SUMO initially, During the OS installation on the ROWDY and SUMO computers, I created local user accounts named “gangadhar” on SUMO and “nikhil” on ROWDY, respectively. Initially, these accounts had no access to the domain controller.
Following the integration process, I successfully connected both ROWDY and SUMO computers to the UNCC.local domain, which is centrally managed by the domain controller, “SUMO-DC.” Initially, I utilized Domain Administrator credentials (Administrator@UNCC.local:P@$$w0rd!) to log in to the ROWDY computer. Subsequently, I assigned local administrator privileges to “Nikhil Pinnam” (npinnam@UNCC.local) by adding him to the Administrator's Group on the ROWDY computer.
On the SUMO computer, I extended local administrator privileges to both “Gangadhar Bethi” (gbethi@UNCC.local) and “Nikhil Pinnam” (npinnam@UNCC.local).
The Attack:
In the context of attacker being within the same network as the domain controllers and computers, we plan to execute this attack using two well-known tools: Responder for LLMNR poisoning and NTLMRelayX for relaying captured hashes. The target machines are specified as my ROWDY and SUMO computers, and we must provide their IP addresses (targets.txt) for the NTLMRelayX to relay the captured hashes successfully.
So to perform a successful attack of the user hash which is getting relayed, the user(i.e npinnam@UNCC.local) has to be on the local administrator group on the other target computer (SUMO)
To initiate the attack, On our attacker machine, we will start Responder on the network interface connected to the same network as the target computers, and start our NTLMRelayX with our targets specified below:
To simulate the attack, I’ll log in as “npinnam@UNCC.local” (npinnam@UNCC.local:ONEpiece123#) on my ROWDY computer and attempt to connect to a non-existent share (\\nothing).
Responder will intercept the query, capturing the hash through its magic. Subsequently, the NTLM Relay tool will relay this captured hash to the specified target computers (ROWDY and SUMO) and tries to extract information from the targets specified
Upon initiating the attack, the captured hash is first relayed to the ROWDY computer itself. However, this attempt fails as the ROWDY computer cannot extract any information from itself. Recognizing this limitation, the attacker proceeds to relay the hash to the SUMO computer.
Crucially, on the SUMO computer, the user “npinnam” holds local administrator privileges. This becomes the key to the success of the SMB relay attack. The attacker leverages this privilege to exploit the vulnerability in the SMB protocol, successfully executing the relay and dumping the local SAM (Security Accounts Manager) table of the SUMO computer.
In simpler terms, the attacker, having intercepted the hash through LLMNR poisoning, strategically relays it to the SUMO computer, capitalizing on the fact that “npinnam” is a local administrator on SUMO. This allows the attacker to exploit the SMB protocol vulnerabilities, leading to a successful relay and the extraction of valuable information from the local SAM table on the SUMO computer.
Thank you :)
Sumanth Dodda