module
Authentication Capture: SMB
| Disclosed | Created |
|---|---|
| 01/01/1970 | 05/30/2018 |
Disclosed
01/01/1970
Created
05/30/2018
Description
This module provides a SMB service that can be used to capture the challenge-response
password NTLMv1 & NTLMv2 hashes used with SMB1, SMB2, or SMB3 client systems.
Responses sent by this service by default use a random 8 byte challenge string.
A specific value (such as `1122334455667788`) can be set using the CHALLENGE option,
allowing for easy cracking using Cain & Abel (NTLMv1) or John the Ripper
(with jumbo patch).
To exploit this, the target system must try to authenticate to this
module. One way to force an SMB authentication attempt is by embedding
a UNC path (\\SERVER\SHARE) into a web page or email message. When
the victim views the web page or email, their system will
automatically connect to the server specified in the UNC share (the IP
address of the system running this module) and attempt to
authenticate. Another option is using auxiliary/spoof/{nbns,llmnr} to
respond to queries for names the victim is already looking for.
Documentation of the above spoofing methods can be found by running `info -d`.
password NTLMv1 & NTLMv2 hashes used with SMB1, SMB2, or SMB3 client systems.
Responses sent by this service by default use a random 8 byte challenge string.
A specific value (such as `1122334455667788`) can be set using the CHALLENGE option,
allowing for easy cracking using Cain & Abel (NTLMv1) or John the Ripper
(with jumbo patch).
To exploit this, the target system must try to authenticate to this
module. One way to force an SMB authentication attempt is by embedding
a UNC path (\\SERVER\SHARE) into a web page or email message. When
the victim views the web page or email, their system will
automatically connect to the server specified in the UNC share (the IP
address of the system running this module) and attempt to
authenticate. Another option is using auxiliary/spoof/{nbns,llmnr} to
respond to queries for names the victim is already looking for.
Documentation of the above spoofing methods can be found by running `info -d`.
Authors
hdm Spencer McIntyreagalway-r7sjanusz-r7
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
msf > use auxiliary/server/capture/smb
msf /(b) > show actions
...actions...
msf /(b) > set ACTION < action-name >
msf /(b) > show options
...show and set options...
msf /(b) > run
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.