Land #16630 Fix duplicate ntlm hash storage

Net-NTLM (v1 and v2) hashes were being duplicated when
stored in the database due to the unique data in the challenge
dispite being the same. This fixes that issue

Author: jheysel-r7

documentation/modules/auxiliary/server/capture/smb.md

@@ -26,6 +26,8 @@ A file to store Cain & Abel formatted captured hashes in. Only supports NTLMv1 H
 
 The 8 byte server challenge. If unset or not a valid 16 character hexadecimal pattern, a random challenge is used instead.
 
+The format is `1122334455667788`.
+
 **JOHNPWFILE**
 
 A file to store John the Ripper formatted hashes in. NTLMv1 and NTLMv2 hashes will be stored in separate files.

lib/msf/core/exploit/remote/smb/server/hash_capture.rb

@@ -56,13 +56,7 @@ def report_ntlm_type3(address:, ntlm_type1:, ntlm_type2:, ntlm_type3:)
 
     return if hash_type.nil?
 
-    # TODO: write method for mapping +major+ and +minor+ OS values to human-readable OS names.
-    # client_os_version = ::NTLM::OSVersion.read(type1_msg.os_version)
-    print_line "[SMB] #{hash_type} Client     : #{address}"
-    # print_line "[SMB] #{hash_type} Client OS  : #{client_os_version}"
-    print_line "[SMB] #{hash_type} Username   : #{domain}\\#{user}"
-    print_line "[SMB] #{hash_type} Hash       : #{combined_hash}"
-    print_line
+    jtr_format = ntlm_message.ntlm_version == :ntlmv1 ? JTR_NTLMV1 : JTR_NTLMV2
 
     if active_db?
       origin = create_credential_origin_service(
@@ -103,9 +97,30 @@ def report_ntlm_type3(address:, ntlm_type1:, ntlm_type2:, ntlm_type3:)
       # found_host.os_name = credential_options[:client_os_version]
       # found_host.save!
 
+      search_options = {
+        realm: credential_options[:realm_value],
+        user: credential_options[:username],
+        hosts: credential_options[:address],
+        jtr_format: credential_options[:jtr_format],
+        type: Metasploit::Credential::NonreplayableHash,
+        workspace: framework.db.workspace
+      }
+      if framework.db.creds(search_options).count > 0
+        vprint_status("Skipping previously captured hash for #{credential_options[:realm_value]}\\#{credential_options[:username]}")
+        return
+      end
+
       create_credential(credential_options)
     end
 
+    # TODO: write method for mapping +major+ and +minor+ OS values to human-readable OS names.
+    # client_os_version = ::NTLM::OSVersion.read(type1_msg.os_version)
+    print_line "[SMB] #{hash_type} Client     : #{address}"
+    # print_line "[SMB] #{hash_type} Client OS  : #{client_os_version}"
+    print_line "[SMB] #{hash_type} Username   : #{domain}\\#{user}"
+    print_line "[SMB] #{hash_type} Hash       : #{combined_hash}"
+    print_line
+
     if datastore['JOHNPWFILE']
       path = build_jtr_file_name(jtr_format)
 

modules/auxiliary/server/capture/smb.rb

@@ -17,9 +17,10 @@ def initialize
       'Description' => %q{
         This module provides a SMB service that can be used to capture the challenge-response
         password NTLMv1 & NTLMv2 hashes used with SMB1, SMB2, or SMB3 client systems.
-        Responses sent by this service have by default a random 8 byte challenge string
-        of format `\x11\x22\x33\x44\x55\x66\x77\x88`, allowing for easy cracking using
-        Cain & Abel (NTLMv1) or John the ripper (with jumbo patch).
+        Responses sent by this service by default use a random 8 byte challenge string.
+        A specific value (such as `1122334455667788`) can be set using the CHALLENGE option,
+        allowing for easy cracking using Cain & Abel (NTLMv1) or John the Ripper
+        (with jumbo patch).
 
         To exploit this, the target system must try to authenticate to this
         module. One way to force an SMB authentication attempt is by embedding