Metasploit mailing list archives

NTLM/LM Challenge

From: grutz at jingojango.net (Kurt Grutzmacher)
Date: Sat, 18 Apr 2009 11:54:09 -0500

Hey Sussurro,

Nice work! NTLM is STILL fun to play with after all these years :)

I've done a lot of work with pass the dutchie attacks and spoke about it a few times last year as part of the Squirtle 
NTLM Attack Toolkit (http://squirtle.googlecode.com/). The MSF library contains code to handle the Type 1/Type 3 
messages so I'd recommend using them in case they get extended due to protocol changes (should that ever happen) and to 
keep core library functions out of exploit/aux modules as much as possible. These routines can be found under 
lib/rex/proto/smb/utils.rb:

    def self.process_type3_message(message)

returns five strings: domain, user, hostname, lm hash challenge, nt hash challenge

    def self.process_type1_message(message, nonce = "\x11\x22\x33\x44\x55\x66\x77\x88", win_domain = 'DOMAIN',
                win_name = 'SERVER', dns_name = 'server', dns_domain = 'example.com', downgrade = true)

returns a Base64 encoded Type 2 message, downgrading the NTLMv2 and signing support if requested.

Based on your Type 2 generation code I'm pretty sure most clients will not respond to you because you're not 
negotiating the right protocols with them or sending them valid domain information. In my testing most systems required 
the correct domain be sent to them in the Type 2 message.

Keep up the good work!

On Thu, Apr 09, 2009 at 12:14:46AM -0400, Sussurro wrote:

Hello,
  I've been doing some playing with NTLM/LM Challenge hashes, and I built a
new module which tries to quietly exploit a trusted site relationship in
order to gather NTLM/LM Challenge hashes. The goal of this module is to be
pretty quiet, so it is not overly aggressive on trying to get credentials,
if the host supports NTLM auth then it will pass it along, if it isn't in
the circle of trust, a pop-up will be displayed.

In addition, since I don't think there was a tool to turn a cracked LM
Challenge hash into the case sensitive NTLM pass, I am including a patch to
allow the current tools to support challenge hashes.  Feedback is welcome, I
haven't done much with Metasploit or Ruby, so if you see something that is
way off or can be improved, pass it along.

Thanks!



-- 
                 ..:[ grutz at jingojango dot net ]:..
     GPG fingerprint: 5FD6 A27D 63DB 3319 140F  B3FB EC95 2A03 8CB3 ECB4
        "There's just no amusing way to say, 'I have a CISSP'."

Current thread:

NTLM/LM Challenge Sussurro (Apr 08)
- load db_sqlite3 error jeffs (Apr 11)
  - load db_sqlite3 error Carlos Pérez (Apr 11)
  - load db_sqlite3 error Jerome Athias (Apr 11)
    - load db_sqlite3 error egypt at metasploit.com (Apr 11)
    - load db_sqlite3 error jeffs (Apr 11)
- NTLM/LM Challenge Kurt Grutzmacher (Apr 18)