Metasploit mailing list archives
Re: Is this SMB relay scenario doable ?
From: HD Moore <hdm () metasploit com>
Date: Tue, 29 Nov 2011 09:07:38 -0500
On 11/28/2011 11:31 PM, Dan Jenkins wrote:
What I want to try may already be well known - but I thought that MS08-068 stopped the attack described below. The victim has access to a known shared dirctory, as the Windows owner of their own directory. Victim XYZ has a classic shared directory on \\BIGSHARE\XYZ Victim XYZ is on their own laptop XYZ-LAPTOP. Can Metaplsoit RELAY the creds from the following UNC path to the above UNC path ? I get the victim ( on XYZ-LAPTOP ) to open my XML file - with infopath.exe My Windows XML/Infopath pseudo-hack causes a connection (via classic SMB) to my \\METAPLSOIT\XYZ with the XYZ users' NTLMv2 creds. Can Metasploit relay the above NTLMv2 negotiations to \\BIGSHARE\XYZ and let me MAP their shared directory:XYZ as user XYZ on my Metasploit box ? I have latest MSF on Unix and XP. I just want to MAP the shared drive \\BIGSHARE\XYZ - since my victim is NOT admin on ANY of these 3 boxes..
MS08-068 only patched direct reflection; you can still relay NTLM to a third-party server and passthrough the authentication. Metasploit's relay code does not have support for a "smbclient" style session (planning one, however), nor does it currently support NTLMv2 for the relay module. Both are possible however. -HD _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Is this SMB relay scenario doable ? Dan Jenkins (Nov 28)
- Re: Is this SMB relay scenario doable ? HD Moore (Nov 29)
- MSFGUI - plugins Donnie Werner (Nov 29)
- Re: MSFGUI - plugins Jonathan Cran (Nov 30)
- Re: MSFGUI - plugins Matthew Weeks (Nov 30)
- Re: MSFGUI - plugins Donnie Werner (Nov 30)
- Re: MSFGUI - plugins Jonathan Cran (Nov 30)