Land rapid7#5377, Update cred reporting method for http_ntlm

wchen-r7 · wchen-r7 · commit 23c77adc6891 · 2015-05-20T11:57:42.000-05:00
diff --git a/modules/auxiliary/server/capture/http_ntlm.rb b/modules/auxiliary/server/capture/http_ntlm.rb
@@ -293,13 +293,11 @@ def html_get_hash(arg = {})
       capturedtime = Time.now.to_s
       case ntlm_ver
       when NTLM_CONST::NTLM_V1_RESPONSE
-        smb_db_type_hash = "smb_netv1_hash"
         capturelogmessage =
           "#{capturedtime}\nNTLMv1 Response Captured from #{host} \n" +
           "DOMAIN: #{domain} USER: #{user} \n" +
           "LMHASH:#{lm_hash_message ? lm_hash_message : "<NULL>"} \nNTHASH:#{nt_hash ? nt_hash : "<NULL>"}\n"
       when NTLM_CONST::NTLM_V2_RESPONSE
-        smb_db_type_hash = "smb_netv2_hash"
         capturelogmessage =
           "#{capturedtime}\nNTLMv2 Response Captured from #{host} \n" +
           "DOMAIN: #{domain} USER: #{user} \n" +
@@ -310,7 +308,6 @@ def html_get_hash(arg = {})
       when NTLM_CONST::NTLM_2_SESSION_RESPONSE
         # we can consider those as netv1 has they have the same size and i cracked the same way by cain/jtr
         # also 'real' netv1 is almost never seen nowadays except with smbmount or msf server capture
-        smb_db_type_hash = "smb_netv1_hash"
         capturelogmessage =
           "#{capturedtime}\nNTLM2_SESSION Response Captured from #{host} \n" +
           "DOMAIN: #{domain} USER: #{user} \n" +
@@ -326,20 +323,19 @@ def html_get_hash(arg = {})
       # DB reporting
       # Rem : one report it as a smb_challenge on port 445 has breaking those hashes
       # will be mainly use for psexec / smb related exploit
-      report_auth_info(
-        :host  => ip,
-        :port => 445,
-        :sname => 'smb_challenge',
-        :user => user,
-        :pass => domain + ":" +
-          ( lm_hash + lm_cli_challenge.to_s ? lm_hash + lm_cli_challenge.to_s : "00" * 24 ) + ":" +
-          ( nt_hash + nt_cli_challenge.to_s ? nt_hash + nt_cli_challenge.to_s :  "00" * 24 ) + ":" +
-          datastore['CHALLENGE'].to_s,
-        :type => smb_db_type_hash,
-        :proof => "DOMAIN=#{domain}",
-        :source_type => "captured",
-        :active => true
-      )
+      opts_report = {
+        ip: ip,
+        user: user,
+        domain: domain,
+        ntlm_ver: ntlm_ver,
+        lm_hash: lm_hash,
+        nt_hash: nt_hash
+      }
+      opts_report.merge!(lm_cli_challenge: lm_cli_challenge) if lm_cli_challenge
+      opts_report.merge!(nt_cli_challenge: nt_cli_challenge) if nt_cli_challenge
+
+      report_creds(opts_report)
+
       #if(datastore['LOGFILE'])
       #  File.open(datastore['LOGFILE'], "ab") {|fd| fd.puts(capturelogmessage + "\n")}
       #end
@@ -406,4 +402,81 @@ def html_get_hash(arg = {})
     end
   end
 
+  def report_creds(opts)
+    ip = opts[:ip] || rhost
+    user = opts[:user] || nil
+    domain = opts[:domain] || nil
+    ntlm_ver = opts[:ntlm_ver] || nil
+    lm_hash = opts[:lm_hash] || nil
+    nt_hash = opts[:nt_hash] || nil
+    lm_cli_challenge = opts[:lm_cli_challenge] || nil
+    nt_cli_challenge = opts[:nt_cli_challenge] || nil
+
+    case ntlm_ver
+    when NTLM_CONST::NTLM_V1_RESPONSE, NTLM_CONST::NTLM_2_SESSION_RESPONSE
+      hash = [
+        user, '',
+        domain ? domain : 'NULL',
+        lm_hash ? lm_hash : '0' * 48,
+        nt_hash ? nt_hash : '0' * 48,
+        @challenge.unpack('H*')[0]
+      ].join(':').gsub(/\n/, '\\n')
+      report_hash(ip, user, 'netntlm', hash)
+    when NTLM_CONST::NTLM_V2_RESPONSE
+      hash = [
+        user, '',
+        domain ? domain : 'NULL',
+        @challenge.unpack('H*')[0],
+        lm_hash ? lm_hash : '0' * 32,
+        lm_cli_challenge ? lm_cli_challenge : '0' * 16
+      ].join(':').gsub(/\n/, '\\n')
+      report_hash(ip, user, 'netlmv2', hash)
+
+      hash = [
+        user, '',
+        domain ? domain : 'NULL',
+        @challenge.unpack('H*')[0],
+        nt_hash ? nt_hash : '0' * 32,
+        nt_cli_challenge ? nt_cli_challenge : '0' * 160
+      ].join(':').gsub(/\n/, '\\n')
+      report_hash(ip, user, 'netntlmv2', hash)
+    else
+      hash = domain + ':' +
+        ( lm_hash + lm_cli_challenge.to_s ? lm_hash + lm_cli_challenge.to_s : '00' * 24 ) + ':' +
+        ( nt_hash + nt_cli_challenge.to_s ? nt_hash + nt_cli_challenge.to_s :  '00' * 24 ) + ':' +
+        datastore['CHALLENGE'].to_s
+      report_hash(ip, user, nil, hash)
+    end
+  end
+
+  def report_hash(ip, user, type_hash, hash)
+    service_data = {
+      address: ip,
+      port: 445,
+      service_name: 'smb',
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      module_fullname: self.fullname,
+      origin_type: :service,
+      private_data: hash,
+      private_type: :nonreplayable_hash,
+      username: user
+    }.merge(service_data)
+
+    unless type_hash.nil?
+      credential_data.merge!(jtr_format: type_hash)
+    end
+
+    login_data = {
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::UNTRIED
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
+
 end
