Metasploit Module [1]
Recently I added a post exploit module to the metasploit framework that will help automate the NetLM Downgrade attack. If you are not familiar with the attack, I highly suggest you read the following article by Dave Howard before continuing.
The purpose of this article is not to describe the NetLM attack, but rather demonstrate how the post exploit module functions and how it can save time on a pentest or even get you that next step in order to take over the network.
Briefly you might be asking yourself why is this attack important. At a high level if a penetration tester can obtain a NetLM hash they can pretty much consider that an equivalent to cleartext with the use of the halflmchal rainbow tables and john the ripper. If you’re not sure what to do with cleartext credentials, you’ve come to the wrong place.
Enough talk, lets jump into a demonstration. The first item is to make sure we already have the server/capture/smb module up and listening for incoming SMB connections. Once the SMB server is up and running we can initiate a connection to pass the network hashes to the metasploit server.
Now that we have initiated an SMB connection to the IPC$ share, we should have some network hashes in our metasploit console.
msf post(netlm_downgrade) > jobs
Jobs
====
Id Name
-- ----
0 Exploit: multi/handler
1 Auxiliary: server/capture/smb
msf post(netlm_downgrade) >
[*] SMB Captured - 2012-11-30 03:29:24 -0600
NTLMv1 Response Captured from 10.10.10.9:3189 - 10.10.10.9
USER:Accuvant DOMAIN:ACCUSCAN OS:Windows Server 2003 3790 Service Pack 2 LM:
LMHASH:Disabled
NTHASH:beae9fddc1f736c120c1d1859feead5a3a7812c8e7b68c30
If you look closely, you can notice that the NetLM hashes have been disabled on this system. Now lets fire off the metasploit post exploit module and see what happens.
Woot! We now have some NetLM hashes and we can start cracking them with rainbow tables + john the ripper, and in a short time we will have the users cleartext credentials.
It doesn’t matter if the Windows system is configured to never send NetLM credentials. The post exploit module will adjust the appropriate registry values to enable them. Once NetLM is enabled, the module will establish an SMB connection to any IP address that is defined in the SMBHOST datastore.
If you have multiple users logged into the system like a Citrix server, you could migrate into each users PID and initiate the module to obtain every logged in users network hashes.
The module is now part of the framework so msfupdate and give it a try!
Share this article
Amazing man , always we should look for alternatives because every engagement is different than the other.
As you say, Domain users are not stored in SAM, but memory. Mimikatz does not depend on Digest Authentication for this to work. You can disable this SSP and you can still access hashes or cleartext passwords using Kerberos SSP (just Mimikatz, not WCE). And you can’t disable Kerberos …
Mimikatz isn’t really recognized by AV … unfortunately.
Can’t remember the time when I had to crack hashes or use some sophisticated attacks to become enterprise/domain Administrator.
You are right on all counts, this is just another way to do it doesn’t require uploading a file (sometimes useful for weird rules of engagements on assessments). And that it is a post module it may be easier to run for some. Just another tool to use.
Changing this value in registry should require administrative rights. So, if I already have administrative rights why should I use this kind of attack instead of extracting LM/NTLM hashes or corresponding cleartext passwords directly from RAM? No rainbowtables or cracking required at all.
You might want to use this attack for a couple reasons. Let’s say that the user logged in is a Domain User, well that credential is not going to be stored in the SAM database on the workstation (LM/NTLM hashes) but rather only local accounts like the Administrator (UID 500).
Dumping credentials in cleartext from Digest Authentication like WCE and Mimikatz is another alternative but this requires Digest Authentication is enabled, and is also dependent on other services running. Also tools like WCE and Mimikatz are often flagged by AV where this method most likely will not since your editing the registry and making a valid SMB connection. The NetLM attack is just another option if other methods are not feasible.
Hope this helps
Nice work Brandon and thanks for the mention :-) The post module will definitely save some time and copy/pasting on upcoming pens. It’s great that they picked it up in the main trunk on github as well.
Thanks for the kind words Dave. I also am really glad they placed it into the framework, could come in handy.