SMB Relay Attack
What is SMB Relay Attack?
SMB Relay AttackA specific NTLM relay variant in which an attacker forwards a victim's SMB authentication to another SMB server to gain code execution or file access as the victim.
SMB relay attacks abuse Windows file-sharing authentication when SMB signing is not enforced. The attacker positions themselves between a victim host and a target server — often by poisoning name resolution with Responder or coercing the victim to open a malicious UNC path — and relays the victim's NTLM authentication to a target SMB server where signing is not required. If the relayed identity has local-admin rights on the target, the attacker installs a PsExec-style service, schedules tasks, or reads sensitive shares as the victim.
The attack dates to a 2001 Cult of the Dead Cow disclosure and was famously demonstrated by Metasploit. Originally an attacker could relay a victim's credentials straight back to the originating host ("credential reflection"). Microsoft closed that specific path with MS08-068 in November 2008, after which the SMB service rejects a challenge it recognises as one it just issued — so since 2008 you must relay to a different machine than the source. That single restriction is why modern SMB relay depends on finding a second host (lateral target) and on signing being disabled there. The 2025 SMB-client vulnerability CVE-2025-33073 briefly revived a reflection-style privilege escalation before being patched, underscoring how persistent the underlying NTLM weakness is.
flowchart LR P[Poison LLMNR/NBT-NS<br/>or coerce UNC path] --> V[Victim sends NTLM auth] V --> A[Attacker relay<br/>smbrelayx / ntlmrelayx] A -->|relay to a DIFFERENT host<br/>signing not enforced| T[(Target SMB server)] T -->|victim is local admin| X[Service install / PsExec<br/>command execution] T -->|otherwise| R[Read sensitive shares] S[Require SMB signing both ends] -.blocks.-> A
Requiring SMB signing on both clients and servers is the principal mitigation; LDAPS, Kerberos-only environments, and disabling NTLM further reduce exposure. Impacket's smbrelayx and ntlmrelayx -t smb:// are the canonical tools.
● Examples
- 01
Compromising a finance workstation by relaying its NTLM auth to a peer where the same admin password is reused.
- 02
Reading payroll data from a non-signing file server after relaying a captured NTLMv2 hash.
● Frequently asked questions
What is SMB Relay Attack?
A specific NTLM relay variant in which an attacker forwards a victim's SMB authentication to another SMB server to gain code execution or file access as the victim. It belongs to the Attacks & Threats category of cybersecurity.
What does SMB Relay Attack mean?
A specific NTLM relay variant in which an attacker forwards a victim's SMB authentication to another SMB server to gain code execution or file access as the victim.
How do you defend against SMB Relay Attack?
Defences for SMB Relay Attack typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for SMB Relay Attack?
Common alternative names include: SMB relaying, Cross-protocol SMB relay.