mailing list archives
From: Dan Jenkins <k1dlr01 () yahoo com>
Date: Thu, 30 Jun 2011 09:56:02 -0700 (PDT)
I was trying to use the auxiliary/sever/capture/smb payload to capture NTLMv2 protcol and get the NTLMv2 challenge
response data. It WORKS fine - except that it does NOT capture them in CAIN & ABEL format.
It DOES capture them in JTR format. JTR format also splits out the LMv2 and NTLMv2 formats.
My config is shown below.
Anyone else have this problem ?
msf auxiliary(smb) > info
Name: Authentication Capture: SMB
License: Metasploit Framework License (BSD)
hdm <hdm () metasploit com>
Name Current Setting Required Description
---- --------------- -------- -----------
CAINPWFILE /tmp/65.cain no The local filename to store the hashes in Cain&Abel format
CHALLENGE 1122334455667788 yes The 8 byte challenge
JOHNPWFILE /tmp/65.john no The prefix to the local filename to store the hashes in JOHN format
LOGFILE /tmp/65.log no The local filename to store the captured hashes
SRVHOST 172.16.1.100 yes The local host to listen on. This must be an address on the local machine or
SRVPORT 445 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
This module provides a SMB service that can be used to capture the
challenge-response password hashes of SMB client systems. Responses
sent by this service have by default the configurable challenge
string (\x11\x22\x33\x44\x55\x66\x77\x88), allowing for easy
cracking using Cain & Abel, L0phtcrack or John the ripper (with
jumbo patch). To exploit this, the target system must try to
authenticate to this module. The easiest way to force a SMB
authentication attempt is by embedding a UNC path (\\SERVER\SHARE)
into a web page or email message. When the victim views the web page
or email, their system will automatically connect to the server
specified in the UNC share (the IP address of the system running
this module) and attempt to authenticate.
msf auxiliary(smb) >
- Metasploit 3.8.0-dev.13016 Dan Jenkins (Jun 30)