smb_sniffer module question

[0xlukej at gmail.com (Luke J)]

Ahh I see. I have never used l0phtcrack for the very reason of it being
commercial. Cain is the only cracking app I know of....unless maybe
there is a patch for john kicking around.

H D Moore wrote:
> The format is the "old style" L0phtcrack challenge-response capture. You 
> can import this into LC, but I don't know what other tools support 
> challenge-response cracking or what format they accept it. Since 
> l0pthcrack is commercial and obsolete, I would like to change this format 
> to be accepted by a free/oss cracking application instead. Besides Cain, 
> are there any suggestions for apps that can crack challenge-response 
> hashes?

Are you referring to domain based logins? I was referring to standard
authenticated requests to the NetBIOS Session Service much like might
occur when accessing shares that require authentication. I am far from
an expert in windows networking but I was under the impression that they
differ.

Modern windows systems connect to trusted DC's with a machine password
to secure the channel and I would understand that stopping smb_sniffer
from working well with Windows XP and 2003. However, the context of my
tool involves already having SYSTEM access to a domain member. Then if
there are any privileged domain delegation tokens kicking around it will
 impersonate them and then connect to smb_sniffer using the
WNetAddConnection() API call. The MSDN states that leaving the username
and password as NULL will cause the call to use the credentials
associated with the current token.

As far as I am aware it should be the same as issuing a "net use \\IP"
call a the command line. I have confirmed that Cain will successfully
intercept the correct credentials when performing either of these and
connecting to a windows box from my XP SP2 machine (though neither are
on a domain). However, it doesn't normally intercept correctly when
connecting to smb_sniffer though the smb_sniffer itself logs all the
connection attempts. I haven't been able to confirm if it is logging the
password hashes correctly yet though.

I could just use a windows box and let Cain intercept them successfully
but smb_sniffer is nice because it uses a fixed server challenge and
downgrades to LANMAN where possible.

The tools also will allow you to execute code under the context of the
token and create new processes with the tokens but I figured grabbing
password hashes would be a nice feature too :)

Whilst writing this I just started to realise that this type of tool
would probably be really nice to have as a meterpreter module. Maybe
I'll have a look into doing that when I'm done with the conventional
tool and understand the problem better.

Cheers,

Luke J

H D Moore wrote:
> There is a difference between a login request between a client and a 
> trusted server and an inbound request to the smb_sniffer service. Windows 
> XP and 2003 will not blindly send password hashes to smb_sniffer (unlike 
> NT 4.0, 2000. and Win9x). There are some configurations where the client 
> will send these hashes anyways, but this will result in a much smaller 
> number of captures when used against a XP/2003 network. Additionally, the 
> smb_sniffer code only handles NTLMv1 authentication -- any client 
> configured to do NTLMv2 only will not send a valid password hash to the 
> smb_sniffer module.
> -HD