HTTP Client MS Credential Catcher
This module attempts to quietly catch NTLM/LM Challenge hashes.
Rank
- Normal
Authors
- Ryan Linn < sussurro [at] happypacket.net >
Development
Similar Modules
- auxiliary/server/capture/ftp
- auxiliary/server/capture/http
- auxiliary/server/capture/http_javascript_keylogger
- auxiliary/server/capture/imap
- auxiliary/server/capture/pop3
- auxiliary/server/capture/smb
- auxiliary/server/capture/smtp
- auxiliary/server/capture/telnet
Usage Information
$ msfconsole
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use auxiliary/server/capture/http_ntlm
msf auxiliary(http_ntlm) > run
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use auxiliary/server/capture/http_ntlm
msf auxiliary(http_ntlm) > run
Module Options
| CAINPWFILE | The local filename to store the hashes in Cain&Abel format |
| CHALLENGE | The 8 byte challenge (default: 1122334455667788) |
| JOHNPWFILE | The prefix to the local filename to store the hashes in JOHN format |
| SRVHOST | The local host to listen on. This must be an address on the local machine or 0.0.0.0 (default: 0.0.0.0) |
| SRVPORT | The local port to listen on. (default: 8080) |
| SSL | Negotiate SSL for incoming connections |
| SSLCert | Path to a custom SSL certificate (default is randomly generated) |
| SSLVersion | Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) (default: SSL3) |
| URIPATH | The URI to use for this exploit (default is random) |
| DNSDOMAIN | The default DNS domain name to use for NTLM authentication |
| DNSNAME | The default DNS server name to use for NTLM authentication |
| DOMAIN | The default domain to use for NTLM authentication |
| FORCEDEFAULT | Force the default settings |
| ListenerComm | The specific communication channel to use for this service |
| SERVER | The default server to use for NTLM authentication |
| VERBOSE | Enable detailed status messages |
| WORKSPACE | Specify the workspace for this module |
| HTML::base64 | Enable HTML obfuscation via an embeded base64 html object (IE not supported) (accepted: none, plain, single_pad, double_pad, random_space_injection) |
| HTML::javascript::escape | Enable HTML obfuscation via HTML escaping (number of iterations) |
| HTML::unicode | Enable HTTP obfuscation via unicode (accepted: none, utf-16le, utf-16be, utf-16be-marker, utf-32le, utf-32be) |
| HTTP::chunked | Enable chunking of HTTP responses via "Transfer-Encoding: chunked" |
| HTTP::compression | Enable compression of HTTP responses via content encoding (accepted: none, gzip, deflate) |
| HTTP::header_folding | Enable folding of HTTP headers |
| HTTP::junk_headers | Enable insertion of random junk HTTP headers |
| HTTP::server_name | Configures the Server header of all outgoing replies |
| TCP::max_send_size | Maximum tcp segment size. (0 = disable) |
| TCP::send_delay | Delays inserted before every send. (0 = disable) |