Land PR #16628, Log ntlm_session hashes

jheysel-r7 · jheysel-r7 · commit 8ccc1ebf91b7 · 2022-06-02T11:20:37.000-04:00
This PR fixes the logging and storing of
NTLM session hashes
diff --git a/lib/msf/core/exploit/remote/smb/server/hash_capture.rb b/lib/msf/core/exploit/remote/smb/server/hash_capture.rb
@@ -38,18 +38,20 @@ def report_ntlm_type3(address:, ntlm_type1:, ntlm_type2:, ntlm_type3:)
     combined_hash = "#{user}::#{domain}"
 
     case ntlm_message.ntlm_version
-    when :ntlmv1
+    when :ntlmv1, :ntlm2_session
       hash_type = 'NTLMv1-SSP'
       client_hash = "#{bin_to_hex(ntlm_message.lm_response)}:#{bin_to_hex(ntlm_message.ntlm_response)}"
 
       combined_hash << ":#{client_hash}"
       combined_hash << ":#{bin_to_hex(challenge)}"
+      jtr_format = JTR_NTLMV1
     when :ntlmv2
       hash_type = 'NTLMv2-SSP'
       client_hash = "#{bin_to_hex(ntlm_message.ntlm_response[0...16])}:#{bin_to_hex(ntlm_message.ntlm_response[16..-1])}"
 
       combined_hash << ":#{bin_to_hex(challenge)}"
       combined_hash << ":#{client_hash}"
+      jtr_format = JTR_NTLMV2
     end
 
     return if hash_type.nil?
@@ -62,8 +64,6 @@ def report_ntlm_type3(address:, ntlm_type1:, ntlm_type2:, ntlm_type3:)
     print_line "[SMB] #{hash_type} Hash       : #{combined_hash}"
     print_line
 
-    jtr_format = ntlm_message.ntlm_version == :ntlmv1 ? JTR_NTLMV1 : JTR_NTLMV2
-
     if active_db?
       origin = create_credential_origin_service(
         {
