Related: SMB relay
Limitation
Windows Server 2022 requires traffic to be signed by default, preventing relay attacks.
An NTLM relay attack allows an attacker to gain access to a service by redirecting a client’s NTLM authentication request to the target service. This works when the server that the client intends to access is compromised. Yet unlike a penetration test for which Responder and ntlmrelayx will suffice, red team engagements have different parameters:
- Python scripts can’t run on Windows without installing tooling
- SMB port (445) is usually already bound in domain-joined computers, and traffic to this port can’t be redirected through regular means even by a local admin
We can still bypass these restrictions using:
- WinDivert, a driver enabling us to redirect traffic from port 445 to another port of our choosing (This is used with PortBender in CS)
- A port forward (
beacon> rportfwd
) from that chosen port to the team server - ntlmrelayx for intercepting SMB authentication traffic
- A SOCKS proxy that allows ntlmrelayx to relay the client response to the server
After the above is set up, when a client authenticates to the vulnerable server:
- Client: sends NTLM auth request to port 445 on the already-compromised server 1
- Server 1: redirects auth request from port 445 (server1:445 → server1:8445 → teamserver:445)
- Team server: relays request to server 2 (teamserver:1080 → server 1 beacon proxy → server2:445)
- Server 2: sends challenge (server 2 → server1:445 → server1:8445 → teamserver:445 → ntlmrelayx)
- … you get the idea
See forcing NTLM authentication for how to make a client to authenticate to the compromised server.
This breaks SMB!
WinDivert will disrupt normal SMB traffic, so restore SMB as soon as possible.
This attack may be recognized by a driver load event (WinDivert). See “Loaded Drivers” saved search in Kibana.
Example
In beacon (vulnerable server):
On team server:
In beacon (vulnerable server):