SMB Relay Attack
What is SMB Relay Attack?
SMB Relay AttackA specific NTLM relay variant in which an attacker forwards a victim's SMB authentication to another SMB server to gain code execution or file access as the victim.
SMB relay attacks abuse Windows file-sharing authentication when SMB signing is not enforced. The attacker positions themselves between a victim host and a target server, often by poisoning name resolution with Responder or by coercing the victim to connect to a malicious UNC path. The victim's NTLM authentication is then relayed to a target SMB server where signing is not required. If the relayed identity has local-admin rights on the target, the attacker can execute commands via PsExec-style service installation, schedule tasks, or read sensitive shares. SMB signing required on both clients and servers is the principal mitigation; LDAPS or Kerberos-only environments further reduce exposure. Impacket smbrelayx and ntlmrelayx with -t smb:// are the canonical tools.
● Examples
- 01
Compromising a finance workstation by relaying its NTLM auth to a peer where the same admin password is reused.
- 02
Reading payroll data from a non-signing file server after relaying a captured NTLMv2 hash.
● Frequently asked questions
What is SMB Relay Attack?
A specific NTLM relay variant in which an attacker forwards a victim's SMB authentication to another SMB server to gain code execution or file access as the victim. It belongs to the Attacks & Threats category of cybersecurity.
What does SMB Relay Attack mean?
A specific NTLM relay variant in which an attacker forwards a victim's SMB authentication to another SMB server to gain code execution or file access as the victim.
How does SMB Relay Attack work?
SMB relay attacks abuse Windows file-sharing authentication when SMB signing is not enforced. The attacker positions themselves between a victim host and a target server, often by poisoning name resolution with Responder or by coercing the victim to connect to a malicious UNC path. The victim's NTLM authentication is then relayed to a target SMB server where signing is not required. If the relayed identity has local-admin rights on the target, the attacker can execute commands via PsExec-style service installation, schedule tasks, or read sensitive shares. SMB signing required on both clients and servers is the principal mitigation; LDAPS or Kerberos-only environments further reduce exposure. Impacket smbrelayx and ntlmrelayx with -t smb:// are the canonical tools.
How do you defend against SMB Relay Attack?
Defences for SMB Relay Attack typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for SMB Relay Attack?
Common alternative names include: SMB relaying, Cross-protocol SMB relay.
● Related terms
- attacks№ 746
NTLM Relay Attack
An adversary-in-the-middle attack (MITRE T1557.001) in which an attacker forwards a victim's NTLM authentication to another service to impersonate them without ever knowing the password.
- attacks№ 620
LLMNR Poisoning
An adversary-in-the-middle technique (MITRE T1557.001) that abuses the Link-Local Multicast Name Resolution protocol on UDP/5355 to redirect victims to attacker-controlled hosts.
- attacks№ 715
NBT-NS Poisoning
An adversary-in-the-middle attack that abuses legacy NetBIOS Name Service traffic on UDP/137 to spoof name responses and harvest NTLM authentications.
- attacks№ 924
Responder Attack
An attack that uses Laurent Gaffie's Responder tool to poison LLMNR, NBT-NS, and mDNS, run rogue authentication servers, and capture or relay NTLM credentials on a local network.
- attacks№ 790
Pass-the-Hash
A credential-reuse attack that authenticates to Windows systems using a stolen NTLM password hash instead of the cleartext password.