Browse Exploit & Auxiliary Modules

The Metasploit Project hosts the world's largest database of quality assured exploits, including hundreds of remote exploits, auxiliary modules, and payloads. You can even review the Metasploit Framework source code of any module - or write your own.

Search for modules

Open Source Vulnerability DataBase ID
Bugtraq ID
Full Text Search
Common Vulnerabilities Exposures ID
Microsoft Security Bulletin ID
 
Search Modules

Authentication Capture: SMB

This module provides a SMB service that can be used to capture the challenge-response password hashes of SMB client systems. Responses sent by this service have by default the configurable challenge string (\x11\x22\x33\x44\x55\x66\x77\x88), allowing for easy cracking using Cain & Abel, L0phtcrack or John the ripper (with jumbo patch). To exploit this, the target system must try to authenticate to this module. The easiest way to force a SMB authentication attempt is by embedding a UNC path (\\SERVER\SHARE) into a web page or email message. When the victim views the web page or email, their system will automatically connect to the server specified in the UNC share (the IP address of the system running this module) and attempt to authenticate.


Rank


Authors


Development


Similar Modules


Usage Information

$ msfconsole

                ##                          ###           ##    ##
 ##  ##  #### ###### ####  #####   #####    ##    ####        ######
####### ##  ##  ##  ##         ## ##  ##    ##   ##  ##   ###   ##
####### ######  ##  #####   ####  ##  ##    ##   ##  ##   ##    ##
## # ##     ##  ##  ##  ## ##      #####    ##   ##  ##   ##    ##
##   ##  #### ###   #####   #####     ##   ####   ####   #### ###
                                      ##

msf > use auxiliary/server/capture/smb
msf auxiliary(smb) > run


Module Options

CAINPWFILE The local filename to store the hashes in Cain&Abel format
CHALLENGE The 8 byte challenge (default: 1122334455667788)
JOHNPWFILE The prefix to the local filename to store the hashes in JOHN format
SRVHOST The local host to listen on. This must be an address on the local machine or 0.0.0.0 (default: 0.0.0.0)
SRVPORT The local port to listen on. (default: 445)
SSL Negotiate SSL for incoming connections
SSLCert Path to a custom SSL certificate (default is randomly generated)
SSLVersion Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) (default: SSL3)
DOMAIN_NAME The domain name used during smb exchange with smb extended security set
ListenerComm The specific communication channel to use for this service
NTLM_UseNTLM2_session Activate the 'negociate NTLM2 key' flag in NTLM authentication. When SMB extended security negociation is set, client will use ntlm2_session instead of ntlmv1 (default on win 2K and above)
SMB_EXTENDED_SECURITY Use smb extended security negociation, when set client will use ntlmssp, if not then client will use classic lanman authentification
USE_GSS_NEGOCIATION Send a gss_security blob in smb_negociate response when SMB extended security is set. When this flag is not set, Windows will respond without gss encapsulation, Ubuntu will still use gss.
VERBOSE Enable detailed status messages
WORKSPACE Specify the workspace for this module
TCP::max_send_size Maximum tcp segment size. (0 = disable)
TCP::send_delay Delays inserted before every send. (0 = disable)