Metasploit mailing list archives

Is this SMB relay scenario doable ?

From: Dan Jenkins <k1dlr01 () yahoo com>
Date: Mon, 28 Nov 2011 20:31:05 -0800 (PST)

Guday,

I have developed a new ( I have have not seen this technique elsewhere - so maybe it's not well known ) XML/Infopath
obfuscated link which I can use to cause the victim to send me their NTLM hashes. So far - even with IE8 being set to
MS latest highest security settings and XP following the MS hardening guide - the victim is never prompted!

In all cases the victim is NOT A MEMBER of the WINDOWS administrator group - on ANY Windows box. MS08-068 and ALL
further SMB patches ARE APPLIED ON EACH BOX. NTLMv2 is the only auth allowed.

When the victim opens the XML file they -

Send their creds via NTLMv2 over port 445 - standard SMB ANDX negotation.

As in prior SMB relay/replay attacks there is NO warning that the end user sent their credentials.

I am aware of the following privilege escalation methods:

Capture their NTLMv2 creds via Metasploit
Feed their NTLMv2 hashes into CAIN & ABEL or JTR for cracking
If the victim was an admin - relay hashes to a box where they are admin and launch MSF payloads.

What I want to try may already be well known - but I thought that MS08-068 stopped the attack described below.

The victim has access to a known shared dirctory, as the Windows owner of their own directory. Victim XYZ has a
classic shared directory on \\BIGSHARE\XYZ Victim XYZ is on their own laptop XYZ-LAPTOP.

Can Metaplsoit RELAY the creds from the following UNC path to the above UNC path ?

I get the victim ( on XYZ-LAPTOP ) to open my XML file - with infopath.exe My Windows XML/Infopath pseudo-hack
causes a connection (via classic SMB) to my \\METAPLSOIT\XYZ with the XYZ users' NTLMv2 creds.

Can Metasploit relay the above NTLMv2 negotiations to \\BIGSHARE\XYZ and let me MAP their shared directory:XYZ as user
XYZ on my Metasploit box ? I have latest MSF on Unix and XP. I just want to MAP the shared drive \\BIGSHARE\XYZ -
since my victim is NOT admin on ANY of these 3 boxes..
I did not see the above scenario in all the recent SMB Relay posts using Metasploit. My apologies if I missed this
scenario.

Thanks for listening.

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

Current thread:

Is this SMB relay scenario doable ? Dan Jenkins (Nov 28)
- Re: Is this SMB relay scenario doable ? HD Moore (Nov 29)
- MSFGUI - plugins Donnie Werner (Nov 29)
  - Re: MSFGUI - plugins Jonathan Cran (Nov 30)
    - Re: MSFGUI - plugins Matthew Weeks (Nov 30)
    - Re: MSFGUI - plugins Donnie Werner (Nov 30)