Metasploit mailing list archives
smb_sniffer module question
From: hdm at metasploit.com (H D Moore)
Date: Sun, 10 Dec 2006 12:55:32 -0600
There is a difference between a login request between a client and a trusted server and an inbound request to the smb_sniffer service. Windows XP and 2003 will not blindly send password hashes to smb_sniffer (unlike NT 4.0, 2000. and Win9x). There are some configurations where the client will send these hashes anyways, but this will result in a much smaller number of captures when used against a XP/2003 network. Additionally, the smb_sniffer code only handles NTLMv1 authentication -- any client configured to do NTLMv2 only will not send a valid password hash to the smb_sniffer module. -HD On Sunday 10 December 2006 04:35, Luke J wrote:
In addition, I have been testing sniffing with Cain to intercept the LM/NTLM challenge/response hashes as they are sent to smb_sniffer. However, it seems to have real difficult picking them up. Often it doesn't detect them at all. However, it is very reliable when sniffing LM/NTLM connections to an actual windows box. Anybody know if this is a problem with smb_sniffer?
Current thread:
- smb_sniffer module question Luke J (Dec 10)
- smb_sniffer module question Daniel Rebsdorf (Dec 10)
- smb_sniffer module question Luke J (Dec 10)
- smb_sniffer module question Daniel Rebsdorf (Dec 10)
- smb_sniffer module question H D Moore (Dec 10)
- smb_sniffer module question Luke J (Dec 10)
- smb_sniffer module question Nicolas RUFF (Dec 18)
- smb_sniffer module question Luke J (Dec 10)
- smb_sniffer module question Daniel Rebsdorf (Dec 10)
- smb_sniffer module question Nicolas RUFF (Dec 13)
- smb_sniffer module question Luke J (Dec 11)