module
MS08-068 Microsoft Windows SMB Relay Code Execution
| Disclosed | Created |
|---|---|
| 03/31/2001 | 05/30/2018 |
Disclosed
03/31/2001
Created
05/30/2018
Description
This module will relay SMB authentication requests to another
host, gaining access to an authenticated SMB session if successful.
If the connecting user is an administrator and network logins are
allowed to the target machine, this module will execute an arbitrary
payload. To exploit this, the target system must try to authenticate
to this module. The easiest way to force a SMB authentication attempt
is by embedding a UNC path (\SERVER\SHARE) into a web page or
email message. When the victim views the web page or email, their
system will automatically connect to the server specified in the UNC
share (the IP address of the system running this module) and attempt
to authenticate. Unfortunately, this
module is not able to clean up after itself. The service and payload
file listed in the output will need to be manually removed after access
has been gained. The service created by this tool uses a randomly chosen
name and description, so the services list can become cluttered after
repeated exploitation.
The SMB authentication relay attack was first reported by Sir Dystic on
March 31st, 2001 at @lanta.con in Atlanta, Georgia.
On November 11th 2008 Microsoft released bulletin MS08-068. This bulletin
includes a patch which prevents the relaying of challenge keys back to
the host which issued them, preventing this exploit from working in
the default configuration. It is still possible to set the SMBHOST
parameter to a third-party host that the victim is authorized to access,
but the "reflection" attack has been effectively broken.
As of Feb 2022 - this module does not support SMB 1.
host, gaining access to an authenticated SMB session if successful.
If the connecting user is an administrator and network logins are
allowed to the target machine, this module will execute an arbitrary
payload. To exploit this, the target system must try to authenticate
to this module. The easiest way to force a SMB authentication attempt
is by embedding a UNC path (\SERVER\SHARE) into a web page or
email message. When the victim views the web page or email, their
system will automatically connect to the server specified in the UNC
share (the IP address of the system running this module) and attempt
to authenticate. Unfortunately, this
module is not able to clean up after itself. The service and payload
file listed in the output will need to be manually removed after access
has been gained. The service created by this tool uses a randomly chosen
name and description, so the services list can become cluttered after
repeated exploitation.
The SMB authentication relay attack was first reported by Sir Dystic on
March 31st, 2001 at @lanta.con in Atlanta, Georgia.
On November 11th 2008 Microsoft released bulletin MS08-068. This bulletin
includes a patch which prevents the relaying of challenge keys back to
the host which issued them, preventing this exploit from working in
the default configuration. It is still possible to set the SMBHOST
parameter to a third-party host that the victim is authorized to access,
but the "reflection" attack has been effectively broken.
As of Feb 2022 - this module does not support SMB 1.
Authors
hdm juan vazquez agalway-r7alanfosterSpencer McIntyre
Platform
Windows
Architectures
x86, x64
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
msf > use exploit/windows/smb/smb_relay
msf /(y) > show actions
...actions...
msf /(y) > set ACTION < action-name >
msf /(y) > show options
...show and set options...
msf /(y) > run
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.