class Metasploit::Credential::NTLMHash

A {Metasploit::Credential::PasswordHash password hash} that can be {Metasploit::Credential::ReplayableHash replayed} to authenticate to SMB. It is composed of two hash hex digests (where the hash bytes are printed as a hexadecimal string where 2 characters represent a byte of the original hash with the high nibble first): (1) {lan_manager_hex_digest_from_password_data the LAN Manager hash’s hex digest} and (2) {nt_lan_manager_hex_digest_from_password_data the NTLM hash’s hex digest}.

Constants

BLANK_LM_HASH

Value of {lan_manager_hex_digest_from_password_data} when the effective password is blank because it exceeds {LAN_MANAGER_MAX_CHARACTERS}

BLANK_NT_HASH

Value of {nt_lan_manager_hex_digest_from_password_data} when the password is blank.

DATA_REGEXP

Valid format for {#data} composed of ‘’<LAN Manager hex digest>:<NT LAN Manager hex digest>‘`.

LAN_MANAGER_HEX_DIGEST_REGEXP

Valid format for LAN Manager hex digest portion of {#data}: 32 lowercase hexadecimal characters.

LAN_MANAGER_MAX_CHARACTERS

If the password data exceeds 14 characters, then a LanManager hash cannot be calculated and then the effective password data is ” when calculating the {lan_manager_hex_digest_from_password_data}.

@see en.wikipedia.org/wiki/LM_hash#Algorithm

NT_LAN_MANAGER_HEX_DIGEST_REGEXP

Valid format for NT LAN Manager hex digest portion of {#data}: 32 lowercase hexadecimal characters.

Public Class Methods

data_from_password_data(password_data) click to toggle source

Converts {Metasploit::Credential::Password#data} to {#data}. Handles passwords over the LanManager limit of 14 characters by treating them as ” for the LanManager Hash calculation, but their actual value for the NTLM hash calculation.

@return (see data)

# File app/models/metasploit/credential/ntlm_hash.rb, line 85
def self.data_from_password_data(password_data)
  hex_digests = ['', 'nt_'].collect do |prefix|
    send("#{prefix}lan_manager_hex_digest_from_password_data", password_data)
  end

  hex_digests.join(':')
end
hex_digest(hash) click to toggle source

Converts a buffer containing ‘hash` bytes to a String containing the hex digest of that `hash`.

@param hash [String] a buffer of bytes @return [String] a string where every 2 hexadecimal characters represents a byte in the original hash buffer.

# File app/models/metasploit/credential/ntlm_hash.rb, line 97
def self.hex_digest(hash)
  hash.unpack('H*').first
end
lan_manager_hex_digest_from_password_data(password_data) click to toggle source

Converts {Metasploit::Credential::Password#data} to an LanManager Hash hex digest. Handles passwords over the LanManager limit of 14 characters by treating them as ” for the LanManager Hash calculation.

@param password_data [String] the plain text password @return [String] a 32 character hexadecimal string

# File app/models/metasploit/credential/ntlm_hash.rb, line 106
def self.lan_manager_hex_digest_from_password_data(password_data)
  effective_password_data = password_data

  if password_data.length > LAN_MANAGER_MAX_CHARACTERS
    effective_password_data = ''
  end

  lm_hash = Net::NTLM.lm_hash(effective_password_data)
  hex_digest(lm_hash)
end
nt_lan_manager_hex_digest_from_password_data(password_data) click to toggle source

Converts {Metasploit::Credential::Password#data} to a NTLM Hash hex digest.

@param password_data [String] the plain text password @return [String] a 32 character hexadecimal string

# File app/models/metasploit/credential/ntlm_hash.rb, line 121
def self.nt_lan_manager_hex_digest_from_password_data(password_data)
  ntlm_hash = Net::NTLM.ntlm_hash(password_data)
  hex_digest(ntlm_hash)
end

Public Instance Methods

blank_password?() click to toggle source

Instance Methods

# File app/models/metasploit/credential/ntlm_hash.rb, line 130
def blank_password?
  self.data.include? "#{BLANK_LM_HASH}:#{BLANK_NT_HASH}"
end
lm_hash_present?() click to toggle source
# File app/models/metasploit/credential/ntlm_hash.rb, line 134
def lm_hash_present?
  !self.data.start_with? BLANK_LM_HASH
end

Private Instance Methods

data_format() click to toggle source

Validates that {#data} is in the NTLM data format of <LAN Manager hex digest>:<NT LAN Manager hex digest>. Both hex digests are 32 lowercase hexadecimal characters.

# File app/models/metasploit/credential/ntlm_hash.rb, line 142
def data_format
  unless DATA_REGEXP.match(data)
    errors.add(:data, :format)
  end
end