Refactor HashCapture

jheysel-r7 · jheysel-r7 · commit 5111f9eb52d0 · 2026-04-02T13:14:06.000-07:00
diff --git a/lib/msf/core/exploit/remote/relay/ntlm/hash_capture.rb b/lib/msf/core/exploit/remote/relay/ntlm/hash_capture.rb
@@ -7,7 +7,7 @@
 require 'ruby_smb'
 
 module Msf
-  module Exploit::Remote::SMB::Server::HashCapture
+  module Exploit::Remote::Relay::NTLM::HashCapture
 
     include ::Msf::Auxiliary::Report
 
@@ -20,7 +20,7 @@ def initialize(info = {})
         ], self.class)
     end
 
-    def validate_smb_hash_capture_datastore(datastore, ntlm_provider)
+    def validate_hash_capture_datastore(datastore, ntlm_provider)
       if datastore['CHALLENGE']
         # Set challenge for all future server responses
 
@@ -36,7 +36,7 @@ def validate_smb_hash_capture_datastore(datastore, ntlm_provider)
       end
     end
 
-    def report_ntlm_type3(address:, ntlm_type1:, ntlm_type2:, ntlm_type3:)
+    def report_ntlm_type3(address:, ntlm_type1:, ntlm_type2:, ntlm_type3:, service_name:)
       ntlm_message = ntlm_type3
       hash_type = nil
 
@@ -69,7 +69,7 @@ def report_ntlm_type3(address:, ntlm_type1:, ntlm_type2:, ntlm_type3:)
           {
             address: address,
             port: srvport,
-            service_name: 'smb',
+            service_name: service_name.downcase,
             protocol: 'tcp',
             module_fullname: fullname,
             workspace_id: myworkspace_id
@@ -81,7 +81,7 @@ def report_ntlm_type3(address:, ntlm_type1:, ntlm_type2:, ntlm_type3:)
           origin_type: :service,
           address: address,
           port: srvport,
-          service_name: 'smb',
+          service_name: service_name.downcase,
           username: user,
           server_challenge: challenge,
           client_hash: client_hash,
@@ -121,10 +121,12 @@ def report_ntlm_type3(address:, ntlm_type1:, ntlm_type2:, ntlm_type3:)
 
       # TODO: write method for mapping +major+ and +minor+ OS values to human-readable OS names.
       # client_os_version = ::NTLM::OSVersion.read(type1_msg.os_version)
-      print_line "[SMB] #{hash_type} Client     : #{address}"
-      # print_line "[SMB] #{hash_type} Client OS  : #{client_os_version}"
-      print_line "[SMB] #{hash_type} Username   : #{domain}\\#{user}"
-      print_line "[SMB] #{hash_type} Hash       : #{combined_hash}"
+
+      protocol_prefix = service_name.upcase
+      print_line "[#{protocol_prefix}] #{hash_type} Client     : #{address}"
+      # print_line "[#{protocol_prefix}] #{hash_type} Client OS  : #{client_os_version}"
+      print_line "[#{protocol_prefix}] #{hash_type} Username   : #{domain}\\#{user}"
+      print_line "[#{protocol_prefix}] #{hash_type} Hash       : #{combined_hash}"
       print_line
 
       if datastore['JOHNPWFILE']
@@ -136,12 +138,13 @@ def report_ntlm_type3(address:, ntlm_type1:, ntlm_type2:, ntlm_type3:)
       end
     end
 
-    def on_ntlm_type3(address:, ntlm_type1:, ntlm_type2:, ntlm_type3:)
+    def on_ntlm_type3(address:, ntlm_type1:, ntlm_type2:, ntlm_type3:, service_name:)
       report_ntlm_type3(
         address: address,
         ntlm_type1: ntlm_type1,
         ntlm_type2: ntlm_type2,
-        ntlm_type3: ntlm_type3
+        ntlm_type3: ntlm_type3,
+        service_name: service_name
       )
     end
 
@@ -174,10 +177,11 @@ def bin_to_hex(str)
     class HashCaptureNTLMProvider < ::RubySMB::Gss::Provider::NTLM
       # @param [::WindowsError::NTStatus] ntlm_type3_status A specific NT Status to return as the response to the NTLM
       #   type 3 message. If this value is nil, the message will be processed as normal.
-      def initialize(allow_anonymous: false, allow_guests: false, default_domain: 'WORKGROUP', listener: nil, ntlm_type3_status: ::WindowsError::NTStatus::STATUS_ACCESS_DENIED)
+      def initialize(allow_anonymous: false, allow_guests: false, default_domain: 'WORKGROUP', listener: nil, ntlm_type3_status: ::WindowsError::NTStatus::STATUS_ACCESS_DENIED, service_name:)
         super(allow_anonymous: allow_anonymous, allow_guests: allow_guests, default_domain: default_domain)
         @listener = listener
         @ntlm_type3_status = ntlm_type3_status
+        @service_name = service_name
       end
 
       # Needs overwritten to ensure our version of Authenticator is returned
@@ -188,7 +192,7 @@ def new_authenticator(server_client)
       end
 
       attr_reader :listener
-      attr_accessor :ntlm_type3_status
+      attr_accessor :ntlm_type3_status, :service_name
     end
 
     class HashCaptureAuthenticator < ::RubySMB::Gss::Provider::NTLM::Authenticator
@@ -208,6 +212,7 @@ def process_ntlm_type3(type3_msg)
             ntlm_type1: @ntlm_type1,
             ntlm_type2: @ntlm_type2,
             ntlm_type3: type3_msg,
+            service_name: @provider.service_name
           )
         end
 
diff --git a/lib/msf/core/exploit/remote/smb/relay/ntlm/server_client.rb b/lib/msf/core/exploit/remote/smb/relay/ntlm/server_client.rb
@@ -249,7 +249,8 @@ def relay_ntlmssp(session, incoming_security_buffer = nil)
             address: relayed_connection.target.ip,
             ntlm_type1: session.metadata[:incoming_negotiate_message],
             ntlm_type2: session.metadata[:relay_target_server_challenge],
-            ntlm_type3: session.metadata[:incoming_challenge_response]
+            ntlm_type3: session.metadata[:incoming_challenge_response],
+            service_name: 'SMB'
           )
           @listener.on_relay_success(relay_connection: relayed_connection, relay_identity: session.metadata[:identity])
         else
diff --git a/lib/msf/core/exploit/remote/smb/relay_server.rb b/lib/msf/core/exploit/remote/smb/relay_server.rb
@@ -6,7 +6,7 @@ module Exploit::Remote::SMB
     module RelayServer
       include ::Msf::Auxiliary::MultipleTargetHosts
       include ::Msf::Exploit::Remote::SocketServer
-      include ::Msf::Exploit::Remote::SMB::Server::HashCapture
+      include ::Msf::Exploit::Remote::Relay::NTLM::HashCapture
 
       def initialize(info = {})
         super
@@ -115,7 +115,7 @@ def start_service(_opts = {})
         ntlm_provider.netbios_domain = datastore['SMBDomain']
         ntlm_provider.netbios_hostname = datastore['SMBDomain']
 
-        validate_smb_hash_capture_datastore(datastore, ntlm_provider)
+        validate_hash_capture_datastore(datastore, ntlm_provider)
 
         comm = _determine_server_comm(bindhost)
         @service = Rex::ServiceManager.start(
diff --git a/lib/msf/core/exploit/remote/smb/server/share.rb b/lib/msf/core/exploit/remote/smb/server/share.rb
@@ -7,7 +7,7 @@ module Exploit::Remote::SMB::Server
     # live in the root folder "\\".
     module Share
       include ::Msf::Exploit::Remote::SMB::Server
-      include ::Msf::Exploit::Remote::SMB::Server::HashCapture
+      include ::Msf::Exploit::Remote::Relay::NTLM::HashCapture
 
       # @!attribute share
       #   @return [String] The share portion of the provided UNC.
@@ -41,11 +41,12 @@ def initialize(info = {})
 
       def start_service(opts = {})
         unless opts[:gss_provider]
-          ntlm_provider = Msf::Exploit::Remote::SMB::Server::HashCapture::HashCaptureNTLMProvider.new(
+          ntlm_provider = Msf::Exploit::Remote::Relay::NTLM::HashCapture::HashCaptureNTLMProvider.new(
             allow_anonymous: true,
             allow_guests: true,
             listener: self,
-            ntlm_type3_status: nil
+            ntlm_type3_status: nil,
+            service_name: 'SMB'
           )
 
           # Set domain name for all future server responses
diff --git a/lib/msf/core/payload/adapter/fetch/server/smb.rb b/lib/msf/core/payload/adapter/fetch/server/smb.rb
@@ -1,19 +1,20 @@
 module Msf::Payload::Adapter::Fetch::Server::SMB
 
   include ::Msf::Exploit::Remote::SMB::LogAdapter
-  include ::Msf::Exploit::Remote::SMB::Server::HashCapture
+  include ::Msf::Exploit::Remote::Relay::NTLM::HashCapture
 
   def start_smb_server(srvport, srvhost)
     vprint_status("Starting SMB server on #{Rex::Socket.to_authority(srvhost, srvport)}")
 
     log_device = LogDevice::Framework.new(framework)
     logger = Logger.new(self, log_device)
 
-    ntlm_provider = Msf::Exploit::Remote::SMB::Server::HashCapture::HashCaptureNTLMProvider.new(
+    ntlm_provider = Msf::Exploit::Remote::Relay::NTLM::HashCapture::HashCaptureNTLMProvider.new(
       allow_anonymous: true,
       allow_guests: true,
       listener: self,
-      ntlm_type3_status: nil
+      ntlm_type3_status: nil,
+      service_name: 'SMB'
     )
 
     fetch_service = Rex::ServiceManager.start(
diff --git a/modules/auxiliary/fileformat/environment_variable_datablock_leak.rb b/modules/auxiliary/fileformat/environment_variable_datablock_leak.rb
@@ -9,7 +9,7 @@ class MetasploitModule < Msf::Auxiliary
 
   include Msf::Exploit::FILEFORMAT
   include Msf::Exploit::Remote::SMB::Server::Share
-  include Msf::Exploit::Remote::SMB::Server::HashCapture
+  include Msf::Exploit::Remote::Relay::NTLM::HashCapture
 
   def initialize(info = {})
     super(
diff --git a/modules/auxiliary/fileformat/icon_environment_datablock_leak.rb b/modules/auxiliary/fileformat/icon_environment_datablock_leak.rb
@@ -9,7 +9,7 @@ class MetasploitModule < Msf::Auxiliary
 
   include Msf::Exploit::FILEFORMAT
   include Msf::Exploit::Remote::SMB::Server::Share
-  include Msf::Exploit::Remote::SMB::Server::HashCapture
+  include Msf::Exploit::Remote::Relay::NTLM::HashCapture
 
   def initialize(info = {})
     super(
diff --git a/modules/auxiliary/fileformat/specialfolder_leak.rb b/modules/auxiliary/fileformat/specialfolder_leak.rb
@@ -8,7 +8,7 @@ class MetasploitModule < Msf::Auxiliary
 
   include Msf::Exploit::FILEFORMAT
   include Msf::Exploit::Remote::SMB::Server::Share
-  include Msf::Exploit::Remote::SMB::Server::HashCapture
+  include Msf::Exploit::Remote::Relay::NTLM::HashCapture
 
   def initialize(info = {})
     super(
diff --git a/modules/auxiliary/server/capture/smb.rb b/modules/auxiliary/server/capture/smb.rb
@@ -8,7 +8,7 @@
 
 class MetasploitModule < Msf::Auxiliary
   include ::Msf::Exploit::Remote::SMB::Server
-  include ::Msf::Exploit::Remote::SMB::Server::HashCapture
+  include ::Msf::Exploit::Remote::Relay::NTLM::HashCapture
 
   def initialize
     super({
@@ -64,15 +64,16 @@ def initialize
 
   def start_service(opts = {})
     ntlm_provider = HashCaptureNTLMProvider.new(
-      listener: self
+      listener: self,
+      service_name: 'SMB'
     )
 
     # Set domain name for all future server responses
     ntlm_provider.dns_domain = datastore['SMBDomain']
     ntlm_provider.dns_hostname = datastore['SMBDomain']
     ntlm_provider.netbios_domain = datastore['SMBDomain']
     ntlm_provider.netbios_hostname = datastore['SMBDomain']
-    validate_smb_hash_capture_datastore(datastore, ntlm_provider)
+    validate_hash_capture_datastore(datastore, ntlm_provider)
     opts[:gss_provider] = ntlm_provider
 
     super(opts)
diff --git a/modules/exploits/windows/fileformat/unc_url_cve_2025_33053.rb b/modules/exploits/windows/fileformat/unc_url_cve_2025_33053.rb
@@ -7,7 +7,7 @@ class MetasploitModule < Msf::Exploit::Remote
   Rank = NormalRanking
 
   include Msf::Exploit::Remote::SMB::Server::Share
-  include Msf::Exploit::Remote::SMB::Server::HashCapture
+  include Msf::Exploit::Remote::Relay::NTLM::HashCapture
   include Msf::Exploit::FILEFORMAT
   include Msf::Exploit::EXE
 
