Relay Your Heart Away: An OPSEC-Conscious Approach to 445 Takeover

Conducting NTLM relays from command-and-control (C2) infrastructure involves several hurdles for red teamers and penetration testers to overcome, in contrast to being directly plugged into a target network. When relaying inbound SMB traffic on a compromised Windows machine, a major tradecraft consideration is how an attacker will control or manipulate the inbound traffic. A problem arises due to the Windows kernel, by default, opening a socket that is bound to port 445/tcp and listening on all network interfaces; thus preventing the attacker from simply starting their own SMB listener on the port.

Existing solutions to this problem require taking noteworthy risks in terms of OPSEC, increasing likelihood of detection / prevention. When there are stealth requirements in place for a red team engagement or penetration test, actions such as loading a driver associated with well-known attacks, rebooting the compromised machine, or tampering with LSASS are often not an option.

In this presentation, I will demonstrate a new technique to take control of port 445/tcp without the OPSEC drawbacks of existing solutions. I will also step through reverse engineering the associated Windows drivers to explain how the technique works under-the-hood. Finally, I will demonstrate a new tool that automates this technique, allowing you to temporarily take control of the SMB port, conduct your SMB-based NTLM relay, and then resume normal SMB functionality - all without the indicators of compromise (IoCs) associated with existing solutions. This technique will significantly ease exploitation of popular relay attacks such as SCCM site takeover (SMB to MSSQL relaying) and ADCS ESC8 (SMB to HTTP relaying).

Conducting NTLM relays from command-and-control (C2) infrastructure involves several hurdles for red teamers and penetration testers to overcome, in contrast to being directly plugged into a target network. When relaying inbound SMB traffic on a compromised Windows machine, a major tradecraft consideration is how an attacker will control or manipulate the inbound traffic. A problem arises due to the Windows kernel, by default, opening a socket that is bound to port 445/tcp and listening on all network interfaces; thus preventing the attacker from simply starting their own SMB listener on the port.

Existing solutions to this problem require taking noteworthy risks in terms of OPSEC, increasing likelihood of detection / prevention. When there are stealth requirements in place for a red team engagement or penetration test, actions such as loading a driver associated with well-known attacks, rebooting the compromised machine, or tampering with LSASS are often not an option.

In this presentation, I will demonstrate a new technique to take control of port 445/tcp without the OPSEC drawbacks of existing solutions. I will also step through reverse engineering the associated Windows drivers to explain how the technique works under-the-hood. Finally, I will demonstrate a new tool that automates this technique, allowing you to temporarily take control of the SMB port, conduct your SMB-based NTLM relay, and then resume normal SMB functionality - all without the indicators of compromise (IoCs) associated with existing solutions. This technique will significantly ease exploitation of popular relay attacks such as SCCM site takeover (SMB to MSSQL relaying) and ADCS ESC8 (SMB to HTTP relaying).