ntlm over http

[natronicus at gmail.com (natronicus)]

This is shiftnato on my normal email.  The other is my mailing list collector.

I hadn't thought of this until this morning, but I believe switching
it to port 80 will allow the exploit to work on the windows platform.
SMB_RELAY probably doesn't work on Windows (haven't checked) because
it would require listening on 139 for the initial connection.  While
that's possible for at least some languages (don't know if Ruby can),
it's very buggy at best, and was at least one reason why the original,
non-metasploit smbrelay was so buggy.

When you switch to port 80, you don't have to listen on 139 anymore.
I need to verify what the src port is when metasploit does its
connections to the remote computer (some SMB clients use 139 as the
src port), but that can be changed to a random high port and it works
just as well.

n

On 9/28/07, Patrick Webster <patrick at metasploit.com> wrote:
> Don't forget you still need to replay the hash to the client... so you need
> IPC$ (135/445) listening and routable. shiftnato just wants to use HTTP
> challenges (IIS "Integrated Authentication") to grab the auth, as a lot of
> non-MS clients will block \\server in HTML - but http://evil will be
> accepted. Firefox supports NTLM HTTP challenges also ;-)
>
> -Patrick