Metasploit mailing list archives

smb_sniffer module question

From: atarasco at gmail.com (Andres Tarasco)
Date: Mon, 11 Dec 2006 08:49:46 +0100

Hi luke,

I have already coded some tools that performs something like that. Take a
look to The Token Thieffer and namedpipes tools available at
http://www.514.es/2006/10/exploiting_win32_design_flaws.html

namedpipes is also able to inject payloads like lnk or desktop.ini files
into remote smb shares. Those payloads  allows you to force remote network
connections and steal smb hashes or to use smbrelay to connect to third part
servers.

By the way, tokens stolen in that way will only allow you to connect to
network servers if the user has been authenticated locally (like services
running with a domain account) or if the server is delegated for
authentication (for example smb servers where files are stored with EFS)

Anyway, is really usefully for pentests to acquire domain credentials.

regards,

Andres Tarasco






2006/12/10, Luke J <0xlukej at gmail.com>:


Heya,

I've been writing a tool for utilising windows access tokens once a box
has been compromised. One of the first things I have made it do is to
connect to a remote IP whilst impersonating each access token in turn,
in order to obtain password hashes for accounts that might be domain
accounts.

It is working fine but I was wondering if the smb_sniffer output format
was intended for any particular cracking software. As far as I am aware,
John doesn't have the ability to crack challenge/response hashes and I
don't think you import them directly into Cain either (though there is
the possibility I could be wrong on both counts!!!).

I could run a packet sniffer and feed the pcap file into Cain but I
figured that the output format of smb_sniffer might have been intended
for some cracking software in particular but couldn't find any
information on it. Can anyone help?

Cheers,

Luke




-- 
Andres Tarasco
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20061211/b54f8fa7/attachment.htm>

Current thread:

smb_sniffer module question Luke J (Dec 10)
- smb_sniffer module question Daniel Rebsdorf (Dec 10)
  - smb_sniffer module question Luke J (Dec 10)
    - smb_sniffer module question Daniel Rebsdorf (Dec 10)
    - smb_sniffer module question H D Moore (Dec 10)
    - smb_sniffer module question Luke J (Dec 10)
    - smb_sniffer module question Nicolas RUFF (Dec 18)
- smb_sniffer module question H D Moore (Dec 10)
  - smb_sniffer module question Nicolas RUFF (Dec 13)
- smb_sniffer module question Andres Tarasco (Dec 10)
  - smb_sniffer module question Luke J (Dec 11)