Module: Msf::Exploit::Remote::SMB::RelayServer

Includes:
Server::HashCapture, Msf::Exploit::Remote::SocketServer
Defined in:
lib/msf/core/exploit/remote/smb/relay_server.rb

Overview

This mixin provides a minimal SMB server

Defined Under Namespace

Classes: SMBRelayServer

Instance Attribute Summary

Attributes included from Msf::Exploit::Remote::SocketServer

#service

Instance Method Summary collapse

Methods included from Server::HashCapture

#bin_to_hex, #build_jtr_file_name, #on_ntlm_type3, #report_ntlm_type3, #validate_smb_hash_capture_datastore

Methods included from Auxiliary::Report

#active_db?, #create_cracked_credential, #create_credential, #create_credential_and_login, #create_credential_login, #db, #db_warning_given?, #get_client, #get_host, #inside_workspace_boundary?, #invalidate_login, #mytask, #myworkspace, #myworkspace_id, #report_auth_info, #report_client, #report_exploit, #report_host, #report_loot, #report_note, #report_service, #report_vuln, #report_web_form, #report_web_page, #report_web_site, #report_web_vuln, #store_cred, #store_local, #store_loot

Methods included from Metasploit::Framework::Require

optionally, optionally_active_record_railtie, optionally_include_metasploit_credential_creation, #optionally_include_metasploit_credential_creation, optionally_require_metasploit_db_gem_engines

Methods included from Msf::Exploit::Remote::SocketServer

#_determine_server_comm, #bindhost, #bindport, #cleanup, #cleanup_service, #exploit, #on_client_data, #primer, #regenerate_payload, #srvhost, #srvport, #via_string

Instance Method Details

#initialize(info = {}) ⇒ Object



10
11
12
13
14
15
16
17
18
19
20
21
# File 'lib/msf/core/exploit/remote/smb/relay_server.rb', line 10

def initialize(info = {})
  super

  register_options(
    [
      OptPort.new('SRVPORT', [true, 'The local port to listen on.', 445]),
      OptString.new('SMBDomain', [true, 'The domain name used during SMB exchange.', 'WORKGROUP'], aliases: ['DOMAIN_NAME']),
      OptInt.new('SRV_TIMEOUT', [true, 'Seconds that the server socket will wait for a response after the client has initiated communication.', 25]),
      OptAddressRange.new('RELAY_TARGETS', [true, 'Target address range or CIDR identifier to relay to'], aliases: ['SMBHOST']),
      OptInt.new('RELAY_TIMEOUT', [true, 'Seconds that the relay socket will wait for a response after the client has initiated communication.', 25])
    ], self.class)
end

#on_relay_failure(relay_connection:) ⇒ Object



151
152
153
# File 'lib/msf/core/exploit/remote/smb/relay_server.rb', line 151

def on_relay_failure(relay_connection:)
  # noop
end

#relay_targetsObject

Raises:

  • (NotImplementedError)


147
148
149
# File 'lib/msf/core/exploit/remote/smb/relay_server.rb', line 147

def relay_targets
  raise NotImplementedError, 'the including module must define #relay_targets'
end

#smb_loggerObject



23
24
25
26
27
28
29
30
31
# File 'lib/msf/core/exploit/remote/smb/relay_server.rb', line 23

def smb_logger
  log_device = if datastore['VERBOSE']
                 Msf::Exploit::Remote::SMB::LogAdapter::LogDevice::Module.new(self)
               else
                 Msf::Exploit::Remote::SMB::LogAdapter::LogDevice::Framework.new(framework)
               end

  Msf::Exploit::Remote::SMB::LogAdapter::Logger.new(self, log_device)
end

#start_service(_opts = {}) ⇒ Object



106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
# File 'lib/msf/core/exploit/remote/smb/relay_server.rb', line 106

def start_service(_opts = {})
  ntlm_provider = Msf::Exploit::Remote::SMB::Relay::Provider::AlwaysGrantAccess.new(
    default_domain: datastore['SMBDomain']
  )

  # Set domain name for all future server responses
  ntlm_provider.dns_domain = datastore['SMBDomain']
  ntlm_provider.dns_hostname = datastore['SMBDomain']
  ntlm_provider.netbios_domain = datastore['SMBDomain']
  ntlm_provider.netbios_hostname = datastore['SMBDomain']

  validate_smb_hash_capture_datastore(datastore, ntlm_provider)

  comm = _determine_server_comm(datastore['SRVHOST'])
  print_status("SMB Server is running. Listening on #{datastore['SRVHOST']}:#{datastore['SRVPORT']}")
  @service = Rex::ServiceManager.start(
    self.class::SMBRelayServer,
    {
      socket: {
        'Comm' => comm,
        'LocalHost' => datastore['SRVHOST'],
        'LocalPort' => datastore['SRVPORT'],
        'Server' => true,
        'Timeout' => datastore['SRV_TIMEOUT'],
        'Context' => {
          'Msf' => framework,
          'MsfExploit' => self
        }
      },
      smb_server: {
        gss_provider: ntlm_provider,
        logger: smb_logger,
        relay_targets: relay_targets,
        listener: self,
        relay_timeout: datastore['RELAY_TIMEOUT'],
        thread_manager: framework.threads
      }
    }
  )
end