Metasploit mailing list archives
Is this SMB relay scenario doable ?
From: Dan Jenkins <k1dlr01 () yahoo com>
Date: Mon, 28 Nov 2011 20:31:05 -0800 (PST)
Guday, I have developed a new ( I have have not seen this technique elsewhere - so maybe it's not well known ) XML/Infopath obfuscated link which I can use to cause the victim to send me their NTLM hashes. So far - even with IE8 being set to MS latest highest security settings and XP following the MS hardening guide - the victim is never prompted! In all cases the victim is NOT A MEMBER of the WINDOWS administrator group - on ANY Windows box. MS08-068 and ALL further SMB patches ARE APPLIED ON EACH BOX. NTLMv2 is the only auth allowed. When the victim opens the XML file they - Send their creds via NTLMv2 over port 445 - standard SMB ANDX negotation. As in prior SMB relay/replay attacks there is NO warning that the end user sent their credentials. I am aware of the following privilege escalation methods: Capture their NTLMv2 creds via Metasploit Feed their NTLMv2 hashes into CAIN & ABEL or JTR for cracking If the victim was an admin - relay hashes to a box where they are admin and launch MSF payloads. What I want to try may already be well known - but I thought that MS08-068 stopped the attack described below. The victim has access to a known shared dirctory, as the Windows owner of their own directory. Victim XYZ has a classic shared directory on \\BIGSHARE\XYZ Victim XYZ is on their own laptop XYZ-LAPTOP. Can Metaplsoit RELAY the creds from the following UNC path to the above UNC path ? I get the victim ( on XYZ-LAPTOP ) to open my XML file - with infopath.exe My Windows XML/Infopath pseudo-hack causes a connection (via classic SMB) to my \\METAPLSOIT\XYZ with the XYZ users' NTLMv2 creds. Can Metasploit relay the above NTLMv2 negotiations to \\BIGSHARE\XYZ and let me MAP their shared directory:XYZ as user XYZ on my Metasploit box ? I have latest MSF on Unix and XP. I just want to MAP the shared drive \\BIGSHARE\XYZ - since my victim is NOT admin on ANY of these 3 boxes.. I did not see the above scenario in all the recent SMB Relay posts using Metasploit. My apologies if I missed this scenario. Thanks for listening.
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Is this SMB relay scenario doable ? Dan Jenkins (Nov 28)
- Re: Is this SMB relay scenario doable ? HD Moore (Nov 29)
- MSFGUI - plugins Donnie Werner (Nov 29)
- Re: MSFGUI - plugins Jonathan Cran (Nov 30)
- Re: MSFGUI - plugins Matthew Weeks (Nov 30)
- Re: MSFGUI - plugins Donnie Werner (Nov 30)
- Re: MSFGUI - plugins Jonathan Cran (Nov 30)