Post-Exploitation Lateral Movement via SMB Relay Attacks
In the lifecycle of a targeted intrusion, initial access is merely the prologue. The true objective-domain dominance, data exfiltration, or ransomware deployment-requires lateral movement. While many practitioners focus on credential harvesting via LSASS dumping or Kerberoasting, one of the most potent and computationally "silent" methods of movement remains the SMB Relay attack.
Unlike brute-force attacks that trigger account lockout policies, or Kerberoasting which requires a valid domain user context, an SMB Relay attack exploits the inherent trust in the NTLM (NT LAN Manager) authentication protocol. By positioning oneself as a man-erval-in-the-middle, an attacker can hijack authentication attempts to gain unauthorized access to remote systems without ever needing to know the user's plaintext password.
The Fundamentals: The NTLM Handshake
To understand the relay, one must first understand the NTLM authentication mechanism. NTLM is a challenge-response protocol. When a client attempts to authenticate to a server, the process follows a three-step dance:
- Negotiate: The client sends a `NEGOTIATE_MESSAGE` to the server, outlining its capabilities (e.g., supported encryption levels, NTLM version).
- Challenge: The server responds with a `CHALLENGE_MESSAGE` containing an 8-byte random nonce (the "server challenge").
- Authenticate: The client encrypts this challenge using a hash derived from the user's password and sends an `AUTHENTICATE_MESSAGE` back to the server.
In a standard environment, the server verifies this response against its own database (or via a Domain Controller). The vulnerability lies in the fact that the server does not inherently know if the client performing the authentication is the original initiator of the request or a third party relaying a captured challenge.
The Attack Vector: Poisoning and Interception
An SMB Relay attack typically begins with a network-wide redirection technique. In modern Windows environments, protocols like LLMNR (Link-Local Multicast Name Resolution), NBT-N S (NetBIOS Name Service), and mDNS are often left enabled for backward compatibility. These protocols are designed to resolve hostnames when DNS fails.
An attacker, having established a foothold on the local network, employs a tool like `Responder` to listen for these broadcast requests. When a victim machine attempts to access a non-existent network resource (e.g., a typo in a file share path like `\\servre01\`), the attacker's machine responds, claiming to be the destination host.
The victim, believing the attacker's machine is the intended target, initiates an NTLM authentication handshake with the attacker. At this stage, the attacker holds the "Challenge" sent by the attacker's machine but has not yet processed it.
The Relay Mechanism: Orchestrating the Handshake
The "Relay" occurs when the attacker simultaneously initiates a connection to a second, legitimate target (the "Target Server") and passes the NTLM messages between the victim and the target.
Using a tool such as `impacket-ntlmrelayx`, the workflow is as follows:
- Capture: The attacker intercepts the `NEGOTIATE` and `CHALLENGE` from the victim via LLMNR/NBT-NS poisoning.
- Forward: The attacker immediately forwards the `NEGOTIATE` message to the Target Server.
- The Relay: The Target Server sends its own `CHALLENGE` back to the attacker. The attacker passes this challenge back to the victim.
- The Final Leap: The victim computes the response using their password hash and sends the `AUTHENTICTE` message to the attacker. The attacker then forwards this valid response to the Target Server.
If the Target Server accepts the authentication, the attacker has successfully authenticated as the victim. If the victim possesses administrative privileges on the target, the attacker can execute arbitrary code via `psexec`, `smbexec`, or WMI.
The SMB Signing Barrier
The primary technical obstacle to a successful SMB Relay attack is SMB Signing.
SMB Signing adds a digital signature to every packet in the SMB session, ensuring the integrity of the communication. This signature is calculated using a session key derived during the authentication process. If SMB Signing is "Required" on the target server, the attacker cannot relay the authentication. Because the attacker is a middleman, they cannot re-calculate the signature for the relayed packets without knowing the actual session key, which is derived from the user's NT hash.
In a modern, hardened Windows environment, SMB Signing is typically enabled by default for Domain Controllers. However, many workstations and member servers-particularly those running legacy applications-often have SMB Signing set to "Disabled" or "Not Required," leaving them vulnerable to relaying.
Expanding the Surface: Relaying to LDAP and AD CS
A sophisticated practitioner does not limit themselves to SMB. The NTLM relay technique is protocol-agnostic as long as the target service accepts NTLM.
One of the most devastating modern variations involves relaying NTLM authentication to LDAP or LDAPS. If an attacker can relay a captured authentication to a Domain Controller via LDAP, they can perform unauthorized
Conclusion
As shown across "The Fundamentals: The NTLM Handshake", "The Attack Vector: Poisoning and Interception", "The Relay Mechanism: Orchestrating the Handshake", a secure implementation for post-exploitation lateral movement via smb relay attacks depends on execution discipline as much as design.
The practical hardening path is to enforce strict token/claim validation and replay resistance, deterministic identity policy evaluation with deny-by-default semantics, and host hardening baselines with tamper-resistant telemetry. This combination reduces both exploitability and attacker dwell time by forcing failures across multiple independent control layers.
Operational confidence should be measured, not assumed: track detection precision under peak traffic and adversarial packet patterns and time from suspicious execution chain to host containment, then use those results to tune preventive policy, detection fidelity, and response runbooks on a fixed review cadence.