Metasploit mailing list archives
NTLM/LM Challenge
From: grutz at jingojango.net (Kurt Grutzmacher)
Date: Sat, 18 Apr 2009 11:54:09 -0500
Hey Sussurro, Nice work! NTLM is STILL fun to play with after all these years :) I've done a lot of work with pass the dutchie attacks and spoke about it a few times last year as part of the Squirtle NTLM Attack Toolkit (http://squirtle.googlecode.com/). The MSF library contains code to handle the Type 1/Type 3 messages so I'd recommend using them in case they get extended due to protocol changes (should that ever happen) and to keep core library functions out of exploit/aux modules as much as possible. These routines can be found under lib/rex/proto/smb/utils.rb: def self.process_type3_message(message) returns five strings: domain, user, hostname, lm hash challenge, nt hash challenge def self.process_type1_message(message, nonce = "\x11\x22\x33\x44\x55\x66\x77\x88", win_domain = 'DOMAIN', win_name = 'SERVER', dns_name = 'server', dns_domain = 'example.com', downgrade = true) returns a Base64 encoded Type 2 message, downgrading the NTLMv2 and signing support if requested. Based on your Type 2 generation code I'm pretty sure most clients will not respond to you because you're not negotiating the right protocols with them or sending them valid domain information. In my testing most systems required the correct domain be sent to them in the Type 2 message. Keep up the good work! On Thu, Apr 09, 2009 at 12:14:46AM -0400, Sussurro wrote:
Hello, I've been doing some playing with NTLM/LM Challenge hashes, and I built a new module which tries to quietly exploit a trusted site relationship in order to gather NTLM/LM Challenge hashes. The goal of this module is to be pretty quiet, so it is not overly aggressive on trying to get credentials, if the host supports NTLM auth then it will pass it along, if it isn't in the circle of trust, a pop-up will be displayed. In addition, since I don't think there was a tool to turn a cracked LM Challenge hash into the case sensitive NTLM pass, I am including a patch to allow the current tools to support challenge hashes. Feedback is welcome, I haven't done much with Metasploit or Ruby, so if you see something that is way off or can be improved, pass it along. Thanks!
-- ..:[ grutz at jingojango dot net ]:.. GPG fingerprint: 5FD6 A27D 63DB 3319 140F B3FB EC95 2A03 8CB3 ECB4 "There's just no amusing way to say, 'I have a CISSP'."
Current thread:
- NTLM/LM Challenge Sussurro (Apr 08)
- load db_sqlite3 error jeffs (Apr 11)
- load db_sqlite3 error Carlos PĂ©rez (Apr 11)
- load db_sqlite3 error Jerome Athias (Apr 11)
- load db_sqlite3 error egypt at metasploit.com (Apr 11)
- load db_sqlite3 error jeffs (Apr 11)
- load db_sqlite3 error jeffs (Apr 11)
- NTLM/LM Challenge Kurt Grutzmacher (Apr 18)