Metasploit Module 
Recently I added a post exploit module to the metasploit framework that will help automate the NetLM Downgrade attack. If you are not familiar with the attack, I highly suggest you read the following article by Dave Howard before continuing.
The purpose of this article is not to describe the NetLM attack, but rather demonstrate how the post exploit module functions and how it can save time on a pentest or even get you that next step in order to take over the network.
Briefly you might be asking yourself why is this attack important. At a high level if a penetration tester can obtain a NetLM hash they can pretty much consider that an equivalent to cleartext with the use of the halflmchal rainbow tables and john the ripper. If you’re not sure what to do with cleartext credentials, you’ve come to the wrong place.
Enough talk, lets jump into a demonstration. The first item is to make sure we already have the server/capture/smb module up and listening for incoming SMB connections. Once the SMB server is up and running we can initiate a connection to pass the network hashes to the metasploit server.
Now that we have initiated an SMB connection to the IPC$ share, we should have some network hashes in our metasploit console.
msf post(netlm_downgrade) > jobs
0 Exploit: multi/handler
1 Auxiliary: server/capture/smb
msf post(netlm_downgrade) >
[*] SMB Captured - 2012-11-30 03:29:24 -0600
NTLMv1 Response Captured from 10.10.10.9:3189 - 10.10.10.9
USER:Accuvant DOMAIN:ACCUSCAN OS:Windows Server 2003 3790 Service Pack 2 LM:
If you look closely, you can notice that the NetLM hashes have been disabled on this system. Now lets fire off the metasploit post exploit module and see what happens.
Woot! We now have some NetLM hashes and we can start cracking them with rainbow tables + john the ripper, and in a short time we will have the users cleartext credentials.
It doesn’t matter if the Windows system is configured to never send NetLM credentials. The post exploit module will adjust the appropriate registry values to enable them. Once NetLM is enabled, the module will establish an SMB connection to any IP address that is defined in the SMBHOST datastore.
If you have multiple users logged into the system like a Citrix server, you could migrate into each users PID and initiate the module to obtain every logged in users network hashes.
The module is now part of the framework so msfupdate and give it a try!