Metasploit mailing list archives
Re: Metasploit 3.8.0-dev.13016
From: Jose Selvi <jselvi () pentester es>
Date: Fri, 01 Jul 2011 00:16:54 +0200
From module's code:
if(datastore['CAINPWFILE'] and smb[:username]) if ntlm_ver == NTLM_CONST::NTLM_V1_RESPONSE then fd = File.open(datastore['CAINPWFILE'], "ab") fd.puts( [ smb[:username], smb[:domain] ? smb[:domain] : "NULL", @challenge.unpack("H*")[0], lm_hash ? lm_hash : "0" * 48, nt_hash ? nt_hash : "0" * 48 ].join(":").gsub(/\n/, "\\n") ) fd.close end end
It seems that only NTLMv1 challenge-response is stored in Cain&Abel format. I can't remember, but I think I read a few time ago that NTLMv2 importing or cracking was not supported by Cain & Abel, so this output format wasn't generated for NTLMv2. You can recode de module for acceping it, or simply use awk (or similar) to convert JTR format to CHEMA. El 30/06/11 18:56, Dan Jenkins escribió:
I was trying to use the auxiliary/sever/capture/smb payload to capture NTLMv2 protcol and get the NTLMv2 challenge response data. It WORKS fine - except that it does NOT capture them in CAIN & ABEL format. It DOES capture them in JTR format. JTR format also splits out the LMv2 and NTLMv2 formats. My config is shown below. Anyone else have this problem ? msf auxiliary(smb) > info Name: Authentication Capture: SMB Module: auxiliary/server/capture/smb Version: 12683 License: Metasploit Framework License (BSD) Rank: Normal Provided by: hdm <hdm () metasploit com> Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- CAINPWFILE /tmp/65.cain no The local filename to store the hashes in Cain&Abel format CHALLENGE 1122334455667788 yes The 8 byte challenge JOHNPWFILE /tmp/65.john no The prefix to the local filename to store the hashes in JOHN format LOGFILE /tmp/65.log no The local filename to store the captured hashes SRVHOST 172.16.1.100 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 445 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate (default is randomly generated) SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) Description: This module provides a SMB service that can be used to capture the challenge-response password hashes of SMB client systems. Responses sent by this service have by default the configurable challenge string (\x11\x22\x33\x44\x55\x66\x77\x88), allowing for easy cracking using Cain & Abel, L0phtcrack or John the ripper (with jumbo patch). To exploit this, the target system must try to authenticate to this module. The easiest way to force a SMB authentication attempt is by embedding a UNC path (\\SERVER\SHARE) into a web page or email message. When the victim views the web page or email, their system will automatically connect to the server specified in the UNC share (the IP address of the system running this module) and attempt to authenticate. msf auxiliary(smb) > _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
-- Jose Selvi. Security Technical Consultant CISA, CISSP, CNAP, GCIH, GPEN http://www.pentester.es SANS Mentor in Madrid (Spain). September 23 - November 25 SEC560: Network Penetration Testing and Ethical Hacking http://www.sans.org/mentor/details.php?nid=24133 http://www.pentester.es/2010/12/nuevo-grupo-y-descuento-para-network.html _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Metasploit 3.8.0-dev.13016 Dan Jenkins (Jun 30)
- Re: Metasploit 3.8.0-dev.13016 Jose Selvi (Jun 30)
- Re: Metasploit 3.8.0-dev.13016 Jose Selvi (Jun 30)
- Re: Metasploit 3.8.0-dev.13016 Jose Selvi (Jun 30)