metasploit.com/documents/api/rex/
index.html
Using Metasploit as a Man-in-the-Middle
Password Stealer
We used Metasploit as a malicious web server to host the VML exploit earlier, luring
unsuspecting and unpatched victims to get exploited. It turns out Metasploit has more
malicious server functionality than simply HTTP. They have actually implemented a
complete, custom SMB server. This enables a very interesting attack. But first, some background
on password hashes.
Chapter 4: Using Metasploit
91
PART II
Weakness in the NTLM Protocol
Microsoft Windows computers authenticate each other using the NTLM protocol, a
challenge-response sequence in which the server generates a ???random??? 8-byte challenge
key that the client uses to send back a hashed copy of the client??™s credentials.Now in theory
this works great. The hash is a one-way function, so the client builds a hash, the
server builds a hash, and if the two hashes match, the client is allowed access. This
exchange should be able to withstand a malicious hacker sniffing the wire because credentials
are never sent, only a hash that uses a one-way algorithm.
In practice, however, there are a few weaknesses in this scheme. First, imagine that the
server (Metasploit) is a malicious bad guy who lures a client to authenticate.
Pages:
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230