[framework] NTLM relay implemented in Metasploit 3?
H D Moore
hdm at metasploit.com
Wed Feb 6 14:47:02 CST 2008
You can find the current implementation in:
modules/exploits/windows/smb/smb_relay.rb
http://metasploit.com/svn/framework3/trunk/modules/exploits/windows/smb/smb_relay.rb
This code will accept a connection from a host, then connect back to the
same host, and relay their own authentication information. Once an
authentication SMB session is established, it uploads a payload, wrapped
in an EXE, and executes it.
The three big missing features:
1) Ability to target a host other than the originating system
2) Support for NTLMv2 relays (should be easy, just time consuming to test)
3) A services wrapper around the EXE that prevents it from being killed
after ~30 seconds.
Other projects in the works include non-SMB NTLM relays (HTTP, etc), this
is being headed up by Grutz, and an auxiliary module that provides the
equivalent of a smbclient shell, instead of just running shellcode.
-HD
On Wednesday 06 February 2008, Parity wrote:
> I've been hunting through the project & docs, looking for whatever
> module implements the attack, but apparently I haven't been looking
> hard enough. I hate having to bug the list like this, but can somebody
> tell me where this thing is at? Obliged,
More information about the framework
mailing list