H3-2020-0013¶

SMB Relay Attack Possible

Description¶

SMB relay is a Man-in-the-Middle attack that is possible when the remote target system has SMB signing disabled. SMB signing authenticates the source of the NetNTLMv1/2 hash being received.

Impact¶

An attacker may gain a system level shell on a vulnerable host if an SMB relay attack is successful. This provides a point of presence in the network to conduct further reconnaissance, gather sensitive information, and launch advanced attacks to move laterally throughout the environment.

References¶

• Microsoft network server: Digitally sign communications (always)
• Microsoft network client: Digitally sign communications (always)
• MITRE ATT&CK Technique: T1557.001: Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
• MITRE ATT&CK Technique: T1187: Forced Authentication