Re: [PEN-TEST] Sniffing web-based NT logins

["Magus Ba'al" <magusbaal () DIGITALBASTARDS NET>]

I figured this might be kind of pertinent, MS released an advisory about
this about 9 hours after you sent your email :)


Title:      Web Client NTLM Authentication Vulnerability
Date:       January 11, 2001
Software:   Office 2000, Windows 2000, and Windows Me
Impact:     NTLM Credentials sent regardless of prompt setting
Bulletin:   MS01-001

Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS01-001.asp.



Steven Beverly
Some guy working for some ISP

"Failure is not an option, it comes pre-installed with your Windoze
software..." -Unknown

"He who fights with monsters should look to it that he himself does not
become a monster...when you gaze long into the abyss the abyss also gazes
into you." -Friedrich Nietzsche


-----Original Message-----
From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf
Of Batten, Gerald
Sent: Thursday, January 11, 2001 7:56 AM
To: PEN-TEST () SECURITYFOCUS COM
Subject: [PEN-TEST] Sniffing web-based NT logins


I was wondering if there was a tool, or if someone knew how to pick it off
of a regular sniffer, to pick up the NT has of an NT login over the web.
Let me explain...

The server is IIS 5.0, the web clients are IE 5.x, and the server is
configured to take NT authentication to the protected web pages exclusively.
This means that Netscape won't work, and that the passwords are not sent as
the standard Base64 encoding.

So, how are the passwords transferred, and how would I use a sniffer to pick
it up?  I'm assuming that they would be Lanman hashes and that I could pull
them off the wire somehow and use LophtCrack to guess the passwords?

Gerald.