An SMB Relay attack is a network exploitation technique where an attacker intercepts SMB (Server Message Block) authentication attempts and forwards them to a different target server. Instead of cracking captured NTLM hashes, the attacker relays the authentication in real time to gain unauthorized access to another system. This attack is particularly effective in environments where SMB signing is not enforced.
The attacker positions themselves to intercept SMB authentication traffic, often using LLMNR or NBT-NS poisoning to redirect connection attempts. When a victim initiates an SMB connection, the attacker captures the NTLM authentication handshake. Rather than attempting to crack the hash offline, the attacker immediately relays these credentials to a different target server. The target server processes the authentication as if it came directly from the victim. If the victim's account has administrative access on the target machine, the attacker gains full administrative control. Tools like ntlmrelayx automate this process, allowing simultaneous relay to multiple targets and automatic execution of post-exploitation actions.
SMB Relay attacks are devastating because they bypass the need for password cracking entirely. The attack works with any password complexity since the actual credentials are relayed, not cracked. In enterprise environments where service accounts and administrators access multiple systems, a single intercepted authentication can cascade into widespread compromise. Mandatory SMB signing, network segmentation, disabling NTLM where possible, and restricting administrative account usage across systems are essential mitigations.