Recrudesce - Thanks for mentioning that. Actually, in our testing, we were able to exploit this vulnerability with an external auth user (such as LDAP) and with local users. I did not personally test with RADIUS, but based on how the vuln works, I suspect it would still work. We did mention this in our presentation at THOTCON this past friday. You may find the slides helpful, which I've posted here: https://speakerdeck.com/claudijd/crowdsourcing-your-cisco-firewall-administration-dot-dot-dot-wat

Techhelplistcom - Very good point. I should have mentioned something about that in the post, but neglected to. By changing that config option, you essentially hide the SSH comment portion (described above) of the OpenSSH banner. It would still show the SSH version and OpenSSH version, but would effectively prevent someone from doing the translation technique to identify the Operating System. I'm more interested in people upgrading their operating systems to supported versions than hiding the fact that they are running older ones, but your point is definitely an important piece that some users may want to consider if that information is considered sensitive in the context of your environment.

Ahinson - Yeah, thanks for point of clarification on the encoding and why it's different. The blog post articulates the process I followed to get strings from the UTF16 content in my crude testing, which can be improved upon. JayJay - Nice, like I said, "can be improved upon". Thanks! Wanderer - Yeah, I had only done this testing on XP and Win8 before and had rarely set a hint for the user I was testing with. So the that key in the SAM was new to me as I noted above. Also, I had not seen that tool for erasing the hint before, I'll check that out. Thanks! Terry - The focus here was grab this information automatically as a remote attacker in the post-exploitation phase. To me (to use your own words) it would seem like "watching someone walk all the way around the block just to go to their next door neighbors house" if they spent the time to copy and paste this out of the registry user by user then mapped that back to the user in the Names hive. But anyways, thanks for your comments.

Janmoesen - I don't necessarily think this information needs to be encrypted. You are correct in that anyone who has physical access can guess a username and obtain the associated hint on a one by one basis. The focus of my additions were to obtain this information remotely as part of a post-exploitation process and steal all the hints on the system. Woody - Thanks for the link, I'll check that out. Franklinheath - Thanks, a couple others have brought that up too on the pull request after it was merged. I'll probably submit another pull request to tighten that code up in Metasploit when I get a chance. Unixtippse - Nice find, perhaps someone could extend the Mac OSX hashdump modules to grab those hints too.