Class: Metasploit::Credential::NTLMHash

Inherits:

ReplayableHash

• Object
• ApplicationRecord
• Private
• PasswordHash
• ReplayableHash
• Metasploit::Credential::NTLMHash

Defined in:

app/models/metasploit/credential/ntlm_hash.rb

Overview

A password hash that can be replayed to authenticate to SMB. It is composed of two hash hex digests (where the hash bytes are printed as a hexadecimal string where 2 characters represent a byte of the original hash with the high nibble first): (1) the LAN Manager hash’s hex digest and (2) the NTLM hash’s hex digest.

Constant Summary

LAN_MANAGER_MAX_CHARACTERS =

If the password data exceeds 14 characters, then a LanManager hash cannot be calculated and then the effective password data is ” when calculating the lan_manager_hex_digest_from_password_data.

See Also:

• https://en.wikipedia.org/wiki/LM_hash#Algorithm

14

LAN_MANAGER_HEX_DIGEST_REGEXP =

Valid format for LAN Manager hex digest portion of #data: 32 lowercase hexadecimal characters.

/[0-9a-f]{32}/

NT_LAN_MANAGER_HEX_DIGEST_REGEXP =

Valid format for NT LAN Manager hex digest portion of #data: 32 lowercase hexadecimal characters.

/[0-9a-f]{32}/

DATA_REGEXP =

Valid format for #data composed of ‘’<LAN Manager hex digest>:<NT LAN Manager hex digest>‘`.

/\A#{LAN_MANAGER_HEX_DIGEST_REGEXP}:#{NT_LAN_MANAGER_HEX_DIGEST_REGEXP}\z/

BLANK_LM_HASH =

Value of lan_manager_hex_digest_from_password_data when the effective password is blank because it exceeds LAN_MANAGER_MAX_CHARACTERS

'aad3b435b51404eeaad3b435b51404ee'

BLANK_NT_HASH =

Value of nt_lan_manager_hex_digest_from_password_data when the password is blank.

'31d6cfe0d16ae931b73c59d7e0c089c0'

Instance Attribute Summary

• #data ⇒ String

  The LAN Manager hex digest combined with the NT LAN Manager hex digest.

Attributes inherited from Private

#cores, #created_at, #id, #type, #updated_at

Class Method Summary

• .data_from_password_data(password_data) ⇒ String

  Converts Password#data to #data.

• .hex_digest(hash) ⇒ String

  Converts a buffer containing ‘hash` bytes to a String containing the hex digest of that `hash`.

• .lan_manager_hex_digest_from_password_data(password_data) ⇒ String

  Converts Password#data to an LanManager Hash hex digest.

• .nt_lan_manager_hex_digest_from_password_data(password_data) ⇒ String

  Converts Password#data to a NTLM Hash hex digest.

Instance Method Summary

• #blank_password? ⇒ Boolean

  Instance Methods.

• #lm_hash_present? ⇒ Boolean

Methods inherited from Private

#to_s

Instance Attribute Details

#data ⇒ String

The LAN Manager hex digest combined with the NT LAN Manager hex digest.

Returns:

• (String) —

  ‘’<LAN Manager hex digest>:<NT LAN Manager hex digest>‘`

# File 'app/models/metasploit/credential/ntlm_hash.rb', line 52

Class Method Details

.data_from_password_data(password_data) ⇒ String

Converts Password#data to #data. Handles passwords over the LanManager limit of 14 characters by treating them as ” for the LanManager Hash calculation, but their actual value for the NTLM hash calculation.

Returns:

• (String) —

  ‘’<LAN Manager hex digest>:<NT LAN Manager hex digest>‘`

# File 'app/models/metasploit/credential/ntlm_hash.rb', line 85

def self.data_from_password_data(password_data)
  hex_digests = ['', 'nt_'].collect do |prefix|
    send("#{prefix}lan_manager_hex_digest_from_password_data", password_data)
  end

  hex_digests.join(':')
end

.hex_digest(hash) ⇒ String

Converts a buffer containing ‘hash` bytes to a String containing the hex digest of that `hash`.

Parameters:

• hash (String) —

  a buffer of bytes

Returns:

• (String) —

  a string where every 2 hexadecimal characters represents a byte in the original hash buffer.

# File 'app/models/metasploit/credential/ntlm_hash.rb', line 97

def self.hex_digest(hash)
  hash.unpack('H*').first
end

.lan_manager_hex_digest_from_password_data(password_data) ⇒ String

Converts Password#data to an LanManager Hash hex digest. Handles passwords over the LanManager limit of 14 characters by treating them as ” for the LanManager Hash calculation.

Parameters:

• password_data (String) —

  the plain text password

Returns:

• (String) —

  a 32 character hexadecimal string

# File 'app/models/metasploit/credential/ntlm_hash.rb', line 106

def self.lan_manager_hex_digest_from_password_data(password_data)
  effective_password_data = password_data

  if password_data.length > LAN_MANAGER_MAX_CHARACTERS
    effective_password_data = ''
  end

  lm_hash = Net::NTLM.lm_hash(effective_password_data)
  hex_digest(lm_hash)
end

.nt_lan_manager_hex_digest_from_password_data(password_data) ⇒ String

Converts Password#data to a NTLM Hash hex digest.

Parameters:

• password_data (String) —

  the plain text password

Returns:

• (String) —

  a 32 character hexadecimal string

# File 'app/models/metasploit/credential/ntlm_hash.rb', line 121

def self.nt_lan_manager_hex_digest_from_password_data(password_data)
  ntlm_hash = Net::NTLM.ntlm_hash(password_data)
  hex_digest(ntlm_hash)
end

Instance Method Details

#blank_password? ⇒ Boolean

Instance Methods

Returns:

• (Boolean)

# File 'app/models/metasploit/credential/ntlm_hash.rb', line 130

def blank_password?
  self.data.include? "#{BLANK_LM_HASH}:#{BLANK_NT_HASH}"
end

#lm_hash_present? ⇒ Boolean

Returns:

• (Boolean)

# File 'app/models/metasploit/credential/ntlm_hash.rb', line 134

def lm_hash_present?
  !self.data.start_with? BLANK_LM_HASH
end