Metasploit mailing list archives
smb_sniffer module question
From: 0xlukej at gmail.com (Luke J)
Date: Mon, 11 Dec 2006 02:37:29 +0000
Ahh I see. I have never used l0phtcrack for the very reason of it being commercial. Cain is the only cracking app I know of....unless maybe there is a patch for john kicking around. H D Moore wrote:
The format is the "old style" L0phtcrack challenge-response capture. You can import this into LC, but I don't know what other tools support challenge-response cracking or what format they accept it. Since l0pthcrack is commercial and obsolete, I would like to change this format to be accepted by a free/oss cracking application instead. Besides Cain, are there any suggestions for apps that can crack challenge-response hashes?
Are you referring to domain based logins? I was referring to standard authenticated requests to the NetBIOS Session Service much like might occur when accessing shares that require authentication. I am far from an expert in windows networking but I was under the impression that they differ. Modern windows systems connect to trusted DC's with a machine password to secure the channel and I would understand that stopping smb_sniffer from working well with Windows XP and 2003. However, the context of my tool involves already having SYSTEM access to a domain member. Then if there are any privileged domain delegation tokens kicking around it will impersonate them and then connect to smb_sniffer using the WNetAddConnection() API call. The MSDN states that leaving the username and password as NULL will cause the call to use the credentials associated with the current token. As far as I am aware it should be the same as issuing a "net use \\IP" call a the command line. I have confirmed that Cain will successfully intercept the correct credentials when performing either of these and connecting to a windows box from my XP SP2 machine (though neither are on a domain). However, it doesn't normally intercept correctly when connecting to smb_sniffer though the smb_sniffer itself logs all the connection attempts. I haven't been able to confirm if it is logging the password hashes correctly yet though. I could just use a windows box and let Cain intercept them successfully but smb_sniffer is nice because it uses a fixed server challenge and downgrades to LANMAN where possible. The tools also will allow you to execute code under the context of the token and create new processes with the tokens but I figured grabbing password hashes would be a nice feature too :) Whilst writing this I just started to realise that this type of tool would probably be really nice to have as a meterpreter module. Maybe I'll have a look into doing that when I'm done with the conventional tool and understand the problem better. Cheers, Luke J H D Moore wrote:
There is a difference between a login request between a client and a trusted server and an inbound request to the smb_sniffer service. Windows XP and 2003 will not blindly send password hashes to smb_sniffer (unlike NT 4.0, 2000. and Win9x). There are some configurations where the client will send these hashes anyways, but this will result in a much smaller number of captures when used against a XP/2003 network. Additionally, the smb_sniffer code only handles NTLMv1 authentication -- any client configured to do NTLMv2 only will not send a valid password hash to the smb_sniffer module. -HD
Current thread:
- smb_sniffer module question Luke J (Dec 10)
- smb_sniffer module question Daniel Rebsdorf (Dec 10)
- smb_sniffer module question Luke J (Dec 10)
- smb_sniffer module question Daniel Rebsdorf (Dec 10)
- smb_sniffer module question H D Moore (Dec 10)
- smb_sniffer module question Luke J (Dec 10)
- smb_sniffer module question Nicolas RUFF (Dec 18)
- smb_sniffer module question Luke J (Dec 10)
- smb_sniffer module question Daniel Rebsdorf (Dec 10)
- smb_sniffer module question Nicolas RUFF (Dec 13)
- smb_sniffer module question Luke J (Dec 11)