Home page logo

metasploit logo Metasploit mailing list archives

Metasploit 3.8.0-dev.13016
From: Dan Jenkins <k1dlr01 () yahoo com>
Date: Thu, 30 Jun 2011 09:56:02 -0700 (PDT)

I was trying to use the auxiliary/sever/capture/smb payload to capture NTLMv2 protcol and get the NTLMv2 challenge 
response data.  It WORKS fine - except that it does NOT capture them in CAIN & ABEL format.

It DOES capture them in JTR format.  JTR format also splits out the LMv2 and NTLMv2 formats.

My config is shown below.

Anyone else have this problem ?

msf auxiliary(smb) > info

       Name: Authentication Capture: SMB
     Module: auxiliary/server/capture/smb
    Version: 12683
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  hdm <hdm () metasploit com>

Basic options:
  Name        Current Setting   Required  Description
  ----        ---------------   --------  -----------
  CAINPWFILE  /tmp/65.cain      no        The local filename to store the hashes in Cain&Abel format
  CHALLENGE   1122334455667788  yes       The 8 byte challenge 
  JOHNPWFILE  /tmp/65.john      no        The prefix to the local filename to store the hashes in JOHN format
  LOGFILE     /tmp/65.log       no        The local filename to store the captured hashes
  SRVHOST      yes       The local host to listen on. This must be an address on the local machine or
  SRVPORT     445               yes       The local port to listen on.
  SSL         false             no        Negotiate SSL for incoming connections
  SSLCert                       no        Path to a custom SSL certificate (default is randomly generated)
  SSLVersion  SSL3              no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)

  This module provides a SMB service that can be used to capture the 
  challenge-response password hashes of SMB client systems. Responses 
  sent by this service have by default the configurable challenge 
  string (\x11\x22\x33\x44\x55\x66\x77\x88), allowing for easy 
  cracking using Cain & Abel, L0phtcrack or John the ripper (with 
  jumbo patch). To exploit this, the target system must try to 
  authenticate to this module. The easiest way to force a SMB 
  authentication attempt is by embedding a UNC path (\\SERVER\SHARE) 
  into a web page or email message. When the victim views the web page 
  or email, their system will automatically connect to the server 
  specified in the UNC share (the IP address of the system running 
  this module) and attempt to authenticate.

msf auxiliary(smb) > 

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]