Tuesday, April 24, 2007

NTLMv1, Metasploit and You

In Metasploit 2.7 there existed a moduled called "smb_sniffer" that listened as a Windows SMB server, responded to negotiations with a preset challenge and forced crypto to NTLMv1. When I asked the devs about it they said it was for "future purposes."

That future purpose is now documented!

Step 1 - Download my slightly updated version from here and place it in your exploits/ directory.

Step 2a - Run it with root privs on a UNIX host (doesn't work on Windows, sorry).
Step 2b - Have a Windows machine connect to your "share" - they will get an access denied but stuff like will work.

Step 3 - Send the hashes to Cain & Abel for cracking or cryptanalysis! Obtain the HALFLMCHALL tables from FreeRainbowCrack.Com or run a brute force, dictionary, hybrid, etc.

Step 4 - Success!

One caveat -- the half-lm challenge table only does the first 7 characters of LANMAN. You still have to brute force the last 7 and if the user's password is greater than 14 characters, you're really out of luck.

Enjoy! :)


Anonymous said...

See you're still at it, eh? ;-) greetings programs - smj@sdf

Kurt Grutzmacher said...

Of course! We're all addicts of one thing or another. :)

Anonymous said...

greetings programs -