I recently performed a penetration test for a large company with a mature security program in place. They regularly get audited and have multiple companies perform security assessments and penetration tests. So, I was unsure how successful I would be given their strong security posture. During our internal penetration test we found strong controls in place and it wasn’t looking good for our team to break in. Then I noticed that when I went to the Internet, an account attempted to connect to my computer. This was the break I needed! I used this account to relay authentication to a 3rd system and gained access to the network. Success! The technique we used is called SMB Relay and has been around for many years. Metasploit (among others) has tools that will take advantage of this Microsoft “feature”. Here is how it works, System A sends credentials (typically domain level) to system B (bad guy) for authentication, when system B receives the request to negotiate the authentication, it forwards the request to System C. System C authenticates the request but allows system B to “login”.

There are potentially many services that run in a typical network that blindly try to connect and authenticate to other systems. Security scanners, software patching, and proxy servers are all processes that are typically configured to seek out devices. If you’re a security professional there are several things you should look for and evaluate in your own network.

1. Do I have processes that will attempt to connect to any system or IP address on my network?
• Don’t allow tools to connect to unknown devices, this reduces the chance an unauthorized device can attempt a SMB Relay exploit.
2. What permissions do these processes run under?
• Don’t run tools that automatically connect to other systems as domain admin. Use an ID with the least amount of rights as necessary.
3. What type of hashes are my systems configured to send/accept?
   • Configure you’re systems to not accept LAN Man or NTLM hashes, only allow for NTLM v2. This will make it much more difficult for a malicious user to crack the password hash.

Being aware of the risk associated with SMB Relay and following a few simple steps will ensure your network is as secure as possible.

By: Stewart Fey, CISA, CISSP, QSA.