SMTP NTLM Domain Extraction - Metasploit

This page contains detailed information about how to use the auxiliary/scanner/smtp/smtp_ntlm_domain metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Module Overview

---

Name: SMTP NTLM Domain Extraction
Module: auxiliary/scanner/smtp/smtp_ntlm_domain
Source code: modules/auxiliary/scanner/smtp/smtp_ntlm_domain.rb
Disclosure date: -
Last modification time: 2017-07-24 06:26:21 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: smtp, smtps
Target network port(s): 25, 465, 587, 2525, 25000, 25025
List of CVEs: -

Extract the Windows domain name from an SMTP NTLM challenge.

Module Ranking and Traits

---

Module Ranking:

• normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.

Basic Usage

---

This module is a scanner module, and is capable of testing against multiple hosts.

msf > use auxiliary/scanner/smtp/smtp_ntlm_domain
msf auxiliary(smtp_ntlm_domain) > show options
    ... show and set options ...
msf auxiliary(smtp_ntlm_domain) > set RHOSTS ip-range
msf auxiliary(smtp_ntlm_domain) > exploit

Other examples of setting the RHOSTS option:

Example 1:

msf auxiliary(smtp_ntlm_domain) > set RHOSTS 192.168.1.3-192.168.1.200 

Example 2:

msf auxiliary(smtp_ntlm_domain) > set RHOSTS 192.168.1.1/24

Example 3:

msf auxiliary(smtp_ntlm_domain) > set RHOSTS file:/tmp/ip_list.txt

Required Options

---

• RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'

Go back to menu.

Msfconsole Usage

---

Here is how the scanner/smtp/smtp_ntlm_domain auxiliary module looks in the msfconsole:

msf6 > use auxiliary/scanner/smtp/smtp_ntlm_domain

msf6 auxiliary(scanner/smtp/smtp_ntlm_domain) > show info

       Name: SMTP NTLM Domain Extraction
     Module: auxiliary/scanner/smtp/smtp_ntlm_domain
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  Rich Whitcroft <[email protected]>

Check supported:
  No

Basic options:
  Name         Current Setting  Required  Description
  ----         ---------------  --------  -----------
  EHLO_DOMAIN  localhost        yes       The domain to send with the EHLO command
  RHOSTS                        yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT        25               yes       The target port (TCP)
  THREADS      1                yes       The number of concurrent threads (max one per host)

Description:
  Extract the Windows domain name from an SMTP NTLM challenge.

References:
  http://msdn.microsoft.com/en-us/library/cc246870.aspx

Module Options

---

This is a complete list of options available in the scanner/smtp/smtp_ntlm_domain auxiliary module:

msf6 auxiliary(scanner/smtp/smtp_ntlm_domain) > show options

Module options (auxiliary/scanner/smtp/smtp_ntlm_domain):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   EHLO_DOMAIN  localhost        yes       The domain to send with the EHLO command
   RHOSTS                        yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT        25               yes       The target port (TCP)
   THREADS      1                yes       The number of concurrent threads (max one per host)

Advanced Options

---

Here is a complete list of advanced options supported by the scanner/smtp/smtp_ntlm_domain auxiliary module:

msf6 auxiliary(scanner/smtp/smtp_ntlm_domain) > show advanced

Module advanced options (auxiliary/scanner/smtp/smtp_ntlm_domain):

   Name                 Current Setting  Required  Description
   ----                 ---------------  --------  -----------
   CHOST                                 no        The local client address
   CPORT                                 no        The local client port
   ConnectTimeout       10               yes       Maximum number of seconds to establish a TCP connection
   Proxies                               no        A proxy chain of format type:host:port[,type:host:port][...]
   SSL                  false            no        Negotiate SSL/TLS for outgoing connections
   SSLCipher                             no        String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH"
   SSLVerifyMode        PEER             no        SSL verification method (Accepted: CLIENT_ONCE, FAIL_IF_NO_PEER_CERT, NONE, PEER)
   SSLVersion           Auto             yes       Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
   ShowProgress         true             yes       Display progress messages during a scan
   ShowProgressPercent  10               yes       The interval in percent that progress should be shown
   VERBOSE              false            no        Enable detailed status messages
   WORKSPACE                             no        Specify the workspace for this module

Auxiliary Actions

---

This is a list of all auxiliary actions that the scanner/smtp/smtp_ntlm_domain module can do:

msf6 auxiliary(scanner/smtp/smtp_ntlm_domain) > show actions

Auxiliary actions:

   Name  Description
   ----  -----------

Evasion Options

---

Here is the full list of possible evasion options supported by the scanner/smtp/smtp_ntlm_domain auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 auxiliary(scanner/smtp/smtp_ntlm_domain) > show evasion

Module evasion options:

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   TCP::max_send_size  0                no        Maxiumum tcp segment size.  (0 = disable)
   TCP::send_delay     0                no        Delays inserted before every send.  (0 = disable)

Go back to menu.

Error Messages

---

This module may fail with the following error messages:

Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.

<RHOST>:<RPORT> No banner received, aborting...

---

Here is a relevant code snippet related to the "<RHOST>:<RPORT> No banner received, aborting..." error message:

30:	    begin
31:	      domain = nil
32:	      connect
33:	
34:	      unless banner
35:	        vprint_error("#{rhost}:#{rport} No banner received, aborting...")
36:	        return
37:	      end
38:	
39:	      vprint_status("#{rhost}:#{rport} Connected: #{banner.strip.inspect}")
40:	

<RHOST>:<RPORT> No NTLM extensions found

---

Here is a relevant code snippet related to the "<RHOST>:<RPORT> No NTLM extensions found" error message:

45:	      sock.puts("EHLO " + datastore['EHLO_DOMAIN'] + "\r\n")
46:	
47:	      # Find all NTLM references in the EHLO response
48:	      exts = sock.get_once.to_s.split(/\n/).grep(/NTLM/)
49:	      if exts.length == 0
50:	        vprint_error("#{rhost}:#{rport} No NTLM extensions found")
51:	        return
52:	      end
53:	
54:	      exts.each do |ext|
55:	

<RHOST>:<RPORT> Invalid challenge response, aborting...

---

Here is a relevant code snippet related to the "<RHOST>:<RPORT> Invalid challenge response, aborting..." error message:

85:	
86:	          begin
87:	            # Extract the domain out of the NTLM response
88:	            ntlm_reply = Rex::Proto::NTLM::Message.parse(Rex::Text.decode_base64(challenge))
89:	            if ! ntlm_reply && ntlm_reply.has_key?(:target_name)
90:	              vprint_status("#{rhost}:#{rport} Invalid challenge response, aborting...")
91:	              break
92:	            end
93:	
94:	            # TODO: Extract the server name from :target_info as well
95:	            domain = ntlm_reply[:target_name].value.to_s.gsub(/\x00/, '')

<RHOST>:<RPORT> Invalid target name in challenge response, aborting...

---

Here is a relevant code snippet related to the "<RHOST>:<RPORT> Invalid target name in challenge response, aborting..." error message:

92:	            end
93:	
94:	            # TODO: Extract the server name from :target_info as well
95:	            domain = ntlm_reply[:target_name].value.to_s.gsub(/\x00/, '')
96:	            if domain.to_s.length == 0
97:	              vprint_status("#{rhost}:#{rport} Invalid target name in challenge response, aborting...")
98:	              break
99:	            end
100:	
101:	            print_good("#{rhost}:#{rport} Domain: #{domain}")
102:	            report_note(host: rhost, port: rport, proto: 'tcp', type: 'smtp.ntlm_auth_info', data: { domain: domain })

<RHOST>:<RPORT> Invalid challenge response message, aborting...

---

Here is a relevant code snippet related to the "<RHOST>:<RPORT> Invalid challenge response message, aborting..." error message:

101:	            print_good("#{rhost}:#{rport} Domain: #{domain}")
102:	            report_note(host: rhost, port: rport, proto: 'tcp', type: 'smtp.ntlm_auth_info', data: { domain: domain })
103:	            break
104:	
105:	          rescue ::Rex::ArgumentError
106:	            vprint_status("#{rhost}:#{rport} Invalid challenge response message, aborting...")
107:	            break
108:	          end
109:	        end
110:	      end
111:	

<RHOST>:<RPORT> No NTLM domain found

---

Here is a relevant code snippet related to the "<RHOST>:<RPORT> No NTLM domain found" error message:

108:	          end
109:	        end
110:	      end
111:	
112:	      if ! domain
113:	        vprint_error("#{rhost}:#{rport} No NTLM domain found")
114:	      end
115:	
116:	    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error
117:	      # Ignore common networking and response timeout errors
118:	    ensure

Go back to menu.

Related Pull Requests

---

• #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
• #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
• #6655 Merged Pull Request: use MetasploitModule as a class name
• #6648 Merged Pull Request: Change metasploit class names
• #4258 Merged Pull Request: Fixup for release

References

---

• CVE: Not available
• http://msdn.microsoft.com/en-us/library/cc246870.aspx

See Also

---

Check also the following modules related to this module:

• auxiliary/scanner/smtp/smtp_enum
• auxiliary/scanner/smtp/smtp_relay
• auxiliary/scanner/smtp/smtp_version
• auxiliary/fuzzers/smtp/smtp_fuzzer
• auxiliary/client/smtp/emailer
• auxiliary/dos/smtp/sendmail_prescan
• auxiliary/dos/windows/smtp/ms06_019_exchange
• exploit/linux/smtp/apache_james_exec
• exploit/linux/smtp/exim4_dovecot_exec
• exploit/linux/smtp/exim_gethostbyname_bof
• exploit/linux/smtp/haraka
• exploit/unix/smtp/clamav_milter_blackhole
• exploit/unix/smtp/exim4_string_format
• exploit/unix/smtp/morris_sendmail_debug
• exploit/unix/smtp/opensmtpd_mail_from_rce
• exploit/unix/smtp/qmail_bash_env_exec
• exploit/windows/smtp/mailcarrier_smtp_ehlo
• exploit/windows/smtp/mercury_cram_md5
• exploit/windows/smtp/ms03_046_exchange2000_xexch50
• exploit/windows/smtp/njstar_smtp_bof
• exploit/windows/smtp/sysgauge_client_bof
• exploit/windows/smtp/wmailserver
• exploit/windows/smtp/ypops_overflow1
• auxiliary/scanner/http/wp_easy_wp_smtp
• auxiliary/server/capture/smtp
• auxiliary/gather/nis_bootparamd_domain
• auxiliary/scanner/smb/smb_enumusers_domain
• auxiliary/spoof/dns/bailiwicked_domain
• exploit/unix/local/opensmtpd_oob_read_lpe
• auxiliary/scanner/http/ntlm_info_enumeration

Authors

---

• Rich Whitcroft <rwhitcroft[at]digitalboundary.net>

Version

---

This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.