Closed Arno0x closed 5 years ago
Kevin-Robertson
commented
8 years ago Hi,
Right now the module is limited to code execution so it wouldn't work. As for adding it in, I'm not sure if it's possible or not. I don't remember seeing that option in any other SMB relay tool.
I really need to spend some time with the Inveigh Relay module though. I'll add mapping to the list of things to try. It would be a useful attack option. Thanks!
Arno0x
commented
8 years ago Hi Kevin,
It is indeed a common thing to encounter some NAS in corporate environments, exposing SMB service (SAMBA), integrated with the corporation Active Directory such that standard Windows SSO can be used, through NTLM authentication, to mount the share.
There's actually another tool performing NTLM relay called ZackAttack (development is pretty much abandoned in an 'early alpha' state), which you can theoretically use to perform cross protocol (HTTP -> SMB) NTLM relay and exposing a socks server such that any NTLM client (eg: smbclient) can leverage NTLM relaying capability. Unfortunately, I could not manage to make it work properly (almost there, but last mile fails miserably...).
So, if there's indeed a few NTLM relay tools performing code execution, there's definitely a lack of a tool able to mount a remote share.
Fantastic work on Inveigh, by the way ! Cheers.
Arno0x
commented
5 years ago Hi Kevin,
Is this issue closed because Inveigh now supports mounting a remote share, or is it simply not on your roadmap and will never be ?
I admit I have not assessed the latest version of Inveigh, but the WIKI still mentions it only supports PSExec type command attack, so my guess is that this function cannot be (simply) implemented.
Cheers ! Arno
Kevin-Robertson
commented
5 years ago Hi,
Sorry, the issue was so old I skipped the update:)
I don't have a way in Inveigh to actually map a drive that is accessible through explorer. I did add a 'session' attack to Inveigh Relay that will keep a relayed authenticated session open. The session can then be accessed with the SMB tools from Invoke-TheHash. This include Invoke-SMBClient for some basic file share tasks.
I haven't yet updated the wiki. I have a blog post though with some details:
https://blog.netspi.com/inveigh-whats-new-in-version-1-4/
Thanks,
Kevin
Arno0x
commented
5 years ago This looks really good ! We (the community) are the one who should thank you, not the other way round, for this amazing tool :-)
Cheers Arno
Hello,
Is it possible to do NTLM relay (using InveighRelay) to mount a share on the target, rather than perform remote code execution ? The idea behind this question is when the target is a Unix/Samba system, where NTLM authentication is effective but executing remote process through DCERPC calls (or whatever's under the hood) is not relevant.
Thanks, Arno