Re: Is this SMB relay scenario doable ?

[HD Moore <hdm () metasploit com>]

On 11/28/2011 11:31 PM, Dan Jenkins wrote:
> What I want to try may already be well known - but I thought that
> MS08-068 stopped the attack described below.
>
> The victim has access to a known shared dirctory, as the Windows owner
> of their own directory.  Victim XYZ has a classic shared directory on 
> \\BIGSHARE\XYZ  Victim XYZ is on their own laptop XYZ-LAPTOP.
>
> Can Metaplsoit RELAY the creds from the following UNC path to the above
> UNC path ?
>
> I get the victim ( on XYZ-LAPTOP )  to open my XML file - with
> infopath.exe   My Windows XML/Infopath pseudo-hack causes a connection
> (via classic SMB) to my \\METAPLSOIT\XYZ with the XYZ users' NTLMv2 creds.
>
> Can Metasploit relay the above NTLMv2 negotiations to \\BIGSHARE\XYZ and
> let me MAP their shared directory:XYZ as user XYZ on my Metasploit box
> ?  I have latest MSF on Unix and XP.   I just want to MAP the shared
> drive \\BIGSHARE\XYZ - since my victim is NOT admin on ANY of these 3
> boxes..


MS08-068 only patched direct reflection; you can still relay NTLM to a
third-party server and passthrough the authentication. Metasploit's
relay code does not have support for a "smbclient" style session
(planning one, however), nor does it currently support NTLMv2 for the
relay module. Both are possible however.

-HD
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework