NTLM relay implemented in Metasploit 3?

[hdm at metasploit.com (H D Moore)]

You can find the current implementation in:
 modules/exploits/windows/smb/smb_relay.rb

http://metasploit.com/svn/framework3/trunk/modules/exploits/windows/smb/smb_relay.rb

This code will accept a connection from a host, then connect back to the 
same host, and relay their own authentication information. Once an 
authentication SMB session is established, it uploads a payload, wrapped 
in an EXE, and executes it.

The three big missing features:

1) Ability to target a host other than the originating system
2) Support for NTLMv2 relays (should be easy, just time consuming to test)
3) A services wrapper around the EXE that prevents it from being killed 
after ~30 seconds. 

Other projects in the works include non-SMB NTLM relays (HTTP, etc), this 
is being headed up by Grutz, and an auxiliary module that provides the 
equivalent of a smbclient shell, instead of just running shellcode.

-HD

On Wednesday 06 February 2008, Parity wrote:
> I've been hunting through the project & docs, looking for whatever
> module implements the attack, but apparently I haven't been looking
> hard enough.? I hate having to bug the list like this, but can somebody
> tell me where this thing is at?? Obliged,