DEV Community

Cover image for ๐Ÿ” RCE in Plain Sight: The Forgotten SMB Relay
Harsh Kanojia
Harsh Kanojia

Posted on

๐Ÿ” RCE in Plain Sight: The Forgotten SMB Relay

#devops #security #cybersecurity #programming

Abstract
This post details an investigation into the persistent threat of Server Message Block SMB relay attacks, specifically highlighting modern Windows configurations that still leave systems vulnerable to unauthenticated remote code execution (RCE) under specific network topologies. We examine the technical nuances and provide pragmatic mitigation steps for SOC analysts and security engineers.

High-Retention Hook
I once spent three days chasing a phantom command and control beacon, only to realize the initial compromise wasn't a clever phishing email or a zero-day exploit; it was a decade-old protocol handshake gone wrong, relayed silently across an otherwise segmented network. We all focus on EDR evasion, but sometimes the biggest blind spot is the one you deliberately configured to "just work."

Research Context
SMB, the backbone of Windows file sharing, remains a prime target. While Microsoft has made significant stridesโ€”Disabling NTLM by default in many contexts, enforcing signingโ€”the dependency on legacy authentication protocols in specific enterprise environments creates exploitable paths. The core issue isn't a flaw in SMB itself, but the willingness of systems to trust and process credentials handed to them via an SMB relay agent, such as Responder or an attacker-controlled intermediary host. This scenario directly maps to the MITRE ATT&CK technique T1185, SMB Relay.

Problem Statement
The prevailing belief in many security teams is that by disabling NTLM authentication entirely, SMB relay risks are eliminated. This is dangerously incomplete. Attackers are successfully leveraging misconfigurations where clients are permitted to connect to hostile servers over SMB without secure negotiation, allowing the attacker to relay captured or fabricated authentication hashes directly to a third target. We are often focused on inbound credential theft (e.g., LLMNR poisoning) but neglect the outbound relay path when a machine unnecessarily trusts an initial untrusted connection.

Methodology or Investigation Process
My investigation focused on an Active Directory environment utilizing modern Windows 10/11 endpoints and Windows Server 2019/2022 Domain Controllers. The setup involved three key components: a malicious listener (using a customized Python SMB relay script mimicking Responder functionality), a targeted victim server (set up with vulnerable file shares), and a standard endpoint acting as the initial probe machine. The primary test was observing if a standard endpoint, upon resolving a poisoned name query, would attempt to authenticate to the attacker machine, and if that authentication attempt could then be relayed to the victim server without user interaction or valid credentials on the relay endpoint itself. We focused heavily on registry keys related to RestrictNTLM and InsecureHosts.

Findings and Technical Analysis
The key finding centers on systems where NTLM authentication is still allowed but where the client attempting the connection is tricked into connecting to an arbitrary IP address via poisoning. Even with NTLMv2 enforced, a successful relay can achieve unauthenticated access if the relay target trusts the source machine inherently, or if the initial handshake is crafted to avoid full NTLM negotiation failures before relaying.

Crucially, if a workstation is tricked into connecting to an attacker controlled server via SMB (port 445), that workstation attempts to authenticate to the attacker. If the attacker can immediately relay that authentication attempt to a Domain Controller or another high-value target, RCE or privilege escalation becomes feasible, especially if the initial workstation had high privileges or if the relay target is inherently trusting. We confirmed that if the relay target machine does not strictly enforce SMB signing (a legacy configuration often overlooked), the attack vector widens considerably. Consider the breach involving a major European utility company several years ago; although details were scarce, post-incident reports often hint at an initial internal compromise vector leveraging lateral movement protocols that were not hardened to the same degree as perimeter defenses.

Risk and Impact Assessment
The impact of a successful SMB relay attack, particularly against Domain Controllers or centralized file servers, moves directly from reconnaissance to full system compromise. This isn't about stealing a hash for offline cracking; this is real-time, unauthenticated access to high-value assets using credentials stolen from another internal machine. In many environments, this becomes the fastest path to Domain Admin privileges post-initial network ingress, bypassing application whitelisting and endpoint detection controls that are tuned for executables or network exploits, not protocol abuse. ๐Ÿ›‘

Mitigation and Defensive Strategies
The gold standard remains disabling NTLM entirely where possible. However, for environments that cannot immediately cut the cord:

  1. Enforce SMB Signing (both client and server) via Group Policy. This invalidates the payload required for most relay attacks.
  2. Implement strict network segmentation. An endpoint should not be able to establish an SMB connection to a Domain Controller unless absolutely necessary and via explicitly allowed routes.
  3. Deploy host-based network restrictions on DCs to only listen for SMB traffic on designated management subnets.
  4. Deploy NTLM Blockers/Responders on workstations to actively refuse authentication prompts to untrusted names.

Researcher Reflection
This exercise was a humbling reminder that security debt accumulates fastest in the protocols we deem "internal" and "trusted." We invest heavily in firewalls and perimeter defenses, yet an unpatched registry setting on a standard user workstation can be the key to unlocking the entire domain via a simple protocol handshake. Never trust a standard port across an internal subnet without verifying the required security controls are active.

Conclusion
SMB relay is not merely a historical artifact; it is a persistent, high-impact lateral movement technique flourishing in environments burdened by legacy authentication reliance. Hardening SMB configuration using signing enforcement and strict network filtering remains the most effective defense against this low-effort, high-reward attack path.

Discussion Question
For those operating in hybrid environments, what are the most significant organizational hurdles you face when trying to fully deprecate NTLM across all internal service endpoints? Let's discuss real-world blockers.

Written by - Harsh Kanojia

LinkedIn - https://www.linkedin.com/in/harsh-kanojia369/

GitHub - https://github.com/harsh-hak

Personal Portfolio - https://harsh-hak.github.io/

Community - https://forms.gle/xsLyYgHzMiYsp8zx6

Top comments (0)