Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

smb_sniffer module question

From: nicolas.ruff at gmail.com (Nicolas RUFF)
Date: Tue, 19 Dec 2006 08:06:03 +0100
        Hello,


Ahh I see. I have never used l0phtcrack for the very reason of it being
commercial. Cain is the only cracking app I know of....unless maybe
there is a patch for john kicking around.


The "biggest" john patch I am aware of is the following:
http://www.banquise.net/misc/patch-john.html
And it is missing Windows challenge/response mechanisms.

Apart from Cain and LCP, the following tool is also able to crack
LM/NTLM challenge/response:
http://www.toolcrypt.org/tools/t2bf/index.html

A "lightweight" Open Source implementation of those protocols can be
found here:
http://www.groar.org/groar/titi/

And if you are interested in the difference between NTLM and NTLMv2:
http://www.microsoft.com/technet/technetmag/issues/2006/08/SecurityWatch/?topics=y



Are you referring to domain based logins? I was referring to standard
authenticated requests to the NetBIOS Session Service much like might
occur when accessing shares that require authentication. I am far from
an expert in windows networking but I was under the impression that they
differ.

Modern windows systems connect to trusted DC's with a machine password
to secure the channel and I would understand that stopping smb_sniffer
from working well with Windows XP and 2003. [...]


Modern Windows (>= Windows 2000) use Kerberos5 for domain
authentication. It is *way* different from traditionnal LM/NTLM
protocols, even if Microsoft implementation of Kerberos5 reuses NTLM
hash as the master secret.

That's not to say there is nothing to do with it:
http://ntsecurity.nu/toolbox/kerbcrack/

If your computer is joined to a domain, LM/NTLM are used in 2 cases:
- The shared resource you are connecting to is not in a "trusted" domain
(that could mean a workgroup, too).
- The "Principal Name" of the resource cannot be acquired. This is
typically the case when you "net use \\IP_address" and "IP_address" does
not resolve as a fully qualified domain name.

For example, if "IP_address" resolves as "NETBIOS_NAME" (because WINS is
configured as the primary name resolution source[*]), Windows will use
LM/NTLM to connect to it. If "IP_address" resolves as
"name.my.domain.com", Windows will acquire a Kerberos session ticket.

[*] http://www.bleepingcomputer.com/tutorials/tutorial52.html

Hope it helps,
- Nicolas RUFF
Previous By Date Next
Previous By Thread Next

Current thread: