Re: [framework-hackers] smbrelay
On Monday 22 December 2008, ArcSighter Elite wrote: I came this morning with something. The MS08-67 patch when challenge keys couldn't be replayed, affects also the other variants of the attack, such as http 401 + WWW-Authenticate: NTLM, and the IMAP, POP and SMTP versions? Supposedly it affects any component that initializes the security negotiation the right way, but only during a direct reflection attack. You can still relay to a third-party host regardless of protocol. -HD ___ Framework-Hackers mailing list Framework-Hackers@spool.metasploit.com http://spool.metasploit.com/mailman/listinfo/framework-hackers
Re: [framework-hackers] smbrelay
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 H D Moore wrote: On Monday 22 December 2008, ArcSighter Elite wrote: I came this morning with something. The MS08-67 patch when challenge keys couldn't be replayed, affects also the other variants of the attack, such as http 401 + WWW-Authenticate: NTLM, and the IMAP, POP and SMTP versions? Supposedly it affects any component that initializes the security negotiation the right way, but only during a direct reflection attack. You can still relay to a third-party host regardless of protocol. -HD ___ Framework-Hackers mailing list Framework-Hackers@spool.metasploit.com http://spool.metasploit.com/mailman/listinfo/framework-hackers Yes, I know the replay attack it's still working. I'm talking about the reflection one in here. I'm going to do some tests right away. Wait for results. Sincrely. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJT746H+KgkfcIQ8cRAiFHAKDlnVWEYiwYEQDy1irZp3jbL5hmrQCdFxsx v0eBn8RIBMDxN2MnOVSof9M= =WkQy -END PGP SIGNATURE- ___ Framework-Hackers mailing list Framework-Hackers@spool.metasploit.com http://spool.metasploit.com/mailman/listinfo/framework-hackers
Re: [framework-hackers] smbrelay
Ah, did you test Metasploit's HTTP-to-SMB attack? More than likely the same method works (Grutz did some work on that), we just need to implement the HTTP server side (or merge Grutz's patches in). -HD On Monday 22 December 2008, ArcSighter Elite wrote: I don't know yet what the truly difference is in here. But the fact is what I've posted successfully works against XP SP(2|3) Spanish. We of course need more testing, but I already known some people qualify what smb_relay does as SMB to SMB attack; and what I'm doing here is some sort of HTTP to SMB attack; in where the NTLM negotation is requested by the (fake) web server with 401 + WWW-Authenticate: NTLM. Then the client sends me his authorization field in the NTLM-Authorization field. It's a little of browser based. Of course after that, we got SMB traffic but who cares? ___ Framework-Hackers mailing list Framework-Hackers@spool.metasploit.com http://spool.metasploit.com/mailman/listinfo/framework-hackers