Re: Using smb_relay without admin access

[Brian <briaar () gmail com>]

Funk,

I think this would be possible:
http://technet.microsoft.com/en-us/sysinternals/bb897553

psexec -l flag: Run process as limited user (strips the Administrators
group and allows only privileges assigned to the Users group). On
Windows Vista the process runs with Low Integrity

Better get good at priv escalation :)

-Brian

On Tue, Jan 4, 2011 at 1:57 PM, funk flavor <funkflavor () gmail com> wrote:
> Hi all,
>
> I was guessing if the smb_relay module could be used even if the relayed authentication was not an admin one.
> Well I know the smb_relay module tries to connect to ADMIN$. But if the goal of the test is only showing that NTLM 
> authentication can be spoofed then the module could be tweaked to map to another share, right ? Then instead of 
> uploading a payload it could just list the content of the share, still right ?
>
> Thx !
>
>
> _______________________________________________
> https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework