|
| 1 | +--- |
| 2 | +title: SMB Relay Attack |
| 3 | +description: SMB Relay Attack |
| 4 | +categories: [Active Directory] |
| 5 | +tags: [Active Direcotory, Initial Access, SMB, NTLM Authentication] |
| 6 | +weight: 2 |
| 7 | +--- |
| 8 | + |
| 9 | +{{% alert title="Note" %}} |
| 10 | +This article is under construction. Information presented is not complete. |
| 11 | +{{% /alert %}} |
| 12 | + |
| 13 | +SMB still supports NTLM authentication. The authentication flow goes as follows: |
| 14 | +1. Client calculates NTLM hash from the user's password and sends the username to the server. |
| 15 | +2. Server returns a random number called *nounce* as a **challenge**. |
| 16 | +3. Client completes the challenge by encrypting the nounce using the NTLM hash and sending the **response** to the server. |
| 17 | +4. If not part of an AD domain, the server encrypts the nounce itself and compare it to the ciphertext supplied by the client. If part of the AD domain, the server sends the client response to the **Domain Controller**, who does the comparison and tells the server if the response match or not. |
| 18 | +5. If there is a match, the client is successfully authenticated. |
| 19 | + |
| 20 | +This authentication follow is suspetible to a **Man-in-the-Middle** attack called SMB relay. The flow of the attack goes as follows: |
| 21 | +1. Client initates connection to an **attacker controlled relay**. |
| 22 | +2. Attacker relay connects to target server, relay client's username to target |
| 23 | +3. Server responds the attacker relay with **NTLM challenge**. |
| 24 | +4. Attacker relays the **NTLM challenge** to the client. |
| 25 | +5. Client completes the challenges, sends attacker relay the **NTLM response**. |
| 26 | +6. Attacker relays client's **NTLM response** to the target server. |
| 27 | +7. Target server checks the response. If it's correct, access is granted to attacker relay. |
| 28 | + |
| 29 | +TODO: Create Dedicated article for SMB relay attack |
0 commit comments