Metasploit mailing list archives

smb_sniffer module question

From: hdm at metasploit.com (H D Moore)
Date: Sun, 10 Dec 2006 12:55:32 -0600

There is a difference between a login request between a client and a 
trusted server and an inbound request to the smb_sniffer service. Windows 
XP and 2003 will not blindly send password hashes to smb_sniffer (unlike 
NT 4.0, 2000. and Win9x). There are some configurations where the client 
will send these hashes anyways, but this will result in a much smaller 
number of captures when used against a XP/2003 network. Additionally, the 
smb_sniffer code only handles NTLMv1 authentication -- any client 
configured to do NTLMv2 only will not send a valid password hash to the 
smb_sniffer module.
-HD

On Sunday 10 December 2006 04:35, Luke J wrote:

In addition, I have been testing sniffing with Cain to intercept the
LM/NTLM challenge/response hashes as they are sent to smb_sniffer.
However, it seems to have real difficult picking them up. Often it
doesn't detect them at all. However, it is very reliable when sniffing
LM/NTLM connections to an actual windows box. Anybody know if this is a
problem with smb_sniffer?

Current thread:

smb_sniffer module question Luke J (Dec 10)
- smb_sniffer module question Daniel Rebsdorf (Dec 10)
  - smb_sniffer module question Luke J (Dec 10)
    - smb_sniffer module question Daniel Rebsdorf (Dec 10)
    - smb_sniffer module question H D Moore (Dec 10)
    - smb_sniffer module question Luke J (Dec 10)
    - smb_sniffer module question Nicolas RUFF (Dec 18)
- smb_sniffer module question H D Moore (Dec 10)
  - smb_sniffer module question Nicolas RUFF (Dec 13)
- smb_sniffer module question Andres Tarasco (Dec 10)
  - smb_sniffer module question Luke J (Dec 11)