Land rapid7#19842, fixing jtr_format for NTLM hashes

Skyprx · Feb 7, 2025 · dfb1ed6 · dfb1ed6
2 parents 94c1167 + 8e68d1d
commit dfb1ed6
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/lib/msf/core/exploit/remote/smb/server/hash_capture.rb b/lib/msf/core/exploit/remote/smb/server/hash_capture.rb
@@ -54,12 +54,14 @@ def report_ntlm_type3(address:, ntlm_type1:, ntlm_type2:, ntlm_type3:)
       case ntlm_message.ntlm_version
       when :ntlmv1, :ntlm2_session
         hash_type = 'NTLMv1-SSP'
+        jtr_format = Metasploit::Framework::Hashes::JTR_NTLMV1
         client_hash = "#{bin_to_hex(ntlm_message.lm_response)}:#{bin_to_hex(ntlm_message.ntlm_response)}"
 
         combined_hash << ":#{client_hash}"
         combined_hash << ":#{bin_to_hex(challenge)}"
       when :ntlmv2
         hash_type = 'NTLMv2-SSP'
+        jtr_format = Metasploit::Framework::Hashes::JTR_NTLMV2
         client_hash = "#{bin_to_hex(ntlm_message.ntlm_response[0...16])}:#{bin_to_hex(ntlm_message.ntlm_response[16..-1])}"
 
         combined_hash << ":#{bin_to_hex(challenge)}"
@@ -68,8 +70,6 @@ def report_ntlm_type3(address:, ntlm_type1:, ntlm_type2:, ntlm_type3:)
 
       return if hash_type.nil?
 
-      jtr_format = ntlm_message.ntlm_version == :ntlmv1 ? Metasploit::Framework::Hashes::JTR_NTLMV1 : Metasploit::Framework::Hashes::JTR_NTLMV2
-
       if active_db?
         origin = create_credential_origin_service(
           {