Metasploit mailing list archives
ntlm over http
From: natronicus at gmail.com (natronicus)
Date: Mon, 1 Oct 2007 10:38:03 -0500
This is shiftnato on my normal email. The other is my mailing list collector. I hadn't thought of this until this morning, but I believe switching it to port 80 will allow the exploit to work on the windows platform. SMB_RELAY probably doesn't work on Windows (haven't checked) because it would require listening on 139 for the initial connection. While that's possible for at least some languages (don't know if Ruby can), it's very buggy at best, and was at least one reason why the original, non-metasploit smbrelay was so buggy. When you switch to port 80, you don't have to listen on 139 anymore. I need to verify what the src port is when metasploit does its connections to the remote computer (some SMB clients use 139 as the src port), but that can be changed to a random high port and it works just as well. n On 9/28/07, Patrick Webster <patrick at metasploit.com> wrote:
Don't forget you still need to replay the hash to the client... so you need IPC$ (135/445) listening and routable. shiftnato just wants to use HTTP challenges (IIS "Integrated Authentication") to grab the auth, as a lot of non-MS clients will block \\server in HTML - but http://evil will be accepted. Firefox supports NTLM HTTP challenges also ;-) -Patrick
Current thread:
- ntlm over http natronicus (Oct 01)
- ntlm over http H D Moore (Oct 01)