Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

smb_sniffer module question

From: 0xlukej at gmail.com (Luke J)
Date: Mon, 11 Dec 2006 09:13:25 +0000
Hi Andres,

Thanks for the info. I looked at your presentation and it looks
interesting and I will give your tools a try. I never knew there were
any publicly available tools to play with tokens. Hopefully they don't
do everything I intended mine to do though, otherwise I have wasted my
time haha :). Even if it does though, I think it would excellent to
integrate this sort of stuff into the meterpreter.

Cheers,

Luke

Andres Tarasco wrote:

Hi luke,

I have already coded some tools that performs something like that. Take a
look to The Token Thieffer and namedpipes tools available at
http://www.514.es/2006/10/exploiting_win32_design_flaws.html

namedpipes is also able to inject payloads like lnk or desktop.ini files
into remote smb shares. Those payloads  allows you to force remote network
connections and steal smb hashes or to use smbrelay to connect to third
part
servers.

By the way, tokens stolen in that way will only allow you to connect to
network servers if the user has been authenticated locally (like services
running with a domain account) or if the server is delegated for
authentication (for example smb servers where files are stored with EFS)

Anyway, is really usefully for pentests to acquire domain credentials.

regards,

Andres Tarasco






2006/12/10, Luke J <0xlukej at gmail.com>:


Heya,

I've been writing a tool for utilising windows access tokens once a box
has been compromised. One of the first things I have made it do is to
connect to a remote IP whilst impersonating each access token in turn,
in order to obtain password hashes for accounts that might be domain
accounts.

It is working fine but I was wondering if the smb_sniffer output format
was intended for any particular cracking software. As far as I am aware,
John doesn't have the ability to crack challenge/response hashes and I
don't think you import them directly into Cain either (though there is
the possibility I could be wrong on both counts!!!).

I could run a packet sniffer and feed the pcap file into Cain but I
figured that the output format of smb_sniffer might have been intended
for some cracking software in particular but couldn't find any
information on it. Can anyone help?

Cheers,

Luke
Previous By Date Next
Previous By Thread Next

Current thread: