Metasploit mailing list archives
smb_sniffer module question
From: nicolas.ruff at gmail.com (Nicolas RUFF)
Date: Tue, 19 Dec 2006 08:06:03 +0100
Hello,
Ahh I see. I have never used l0phtcrack for the very reason of it being commercial. Cain is the only cracking app I know of....unless maybe there is a patch for john kicking around.
The "biggest" john patch I am aware of is the following: http://www.banquise.net/misc/patch-john.html And it is missing Windows challenge/response mechanisms. Apart from Cain and LCP, the following tool is also able to crack LM/NTLM challenge/response: http://www.toolcrypt.org/tools/t2bf/index.html A "lightweight" Open Source implementation of those protocols can be found here: http://www.groar.org/groar/titi/ And if you are interested in the difference between NTLM and NTLMv2: http://www.microsoft.com/technet/technetmag/issues/2006/08/SecurityWatch/?topics=y
Are you referring to domain based logins? I was referring to standard authenticated requests to the NetBIOS Session Service much like might occur when accessing shares that require authentication. I am far from an expert in windows networking but I was under the impression that they differ. Modern windows systems connect to trusted DC's with a machine password to secure the channel and I would understand that stopping smb_sniffer from working well with Windows XP and 2003. [...]
Modern Windows (>= Windows 2000) use Kerberos5 for domain authentication. It is *way* different from traditionnal LM/NTLM protocols, even if Microsoft implementation of Kerberos5 reuses NTLM hash as the master secret. That's not to say there is nothing to do with it: http://ntsecurity.nu/toolbox/kerbcrack/ If your computer is joined to a domain, LM/NTLM are used in 2 cases: - The shared resource you are connecting to is not in a "trusted" domain (that could mean a workgroup, too). - The "Principal Name" of the resource cannot be acquired. This is typically the case when you "net use \\IP_address" and "IP_address" does not resolve as a fully qualified domain name. For example, if "IP_address" resolves as "NETBIOS_NAME" (because WINS is configured as the primary name resolution source[*]), Windows will use LM/NTLM to connect to it. If "IP_address" resolves as "name.my.domain.com", Windows will acquire a Kerberos session ticket. [*] http://www.bleepingcomputer.com/tutorials/tutorial52.html Hope it helps, - Nicolas RUFF
Current thread:
- smb_sniffer module question Luke J (Dec 10)
- smb_sniffer module question Daniel Rebsdorf (Dec 10)
- smb_sniffer module question Luke J (Dec 10)
- smb_sniffer module question Daniel Rebsdorf (Dec 10)
- smb_sniffer module question H D Moore (Dec 10)
- smb_sniffer module question Luke J (Dec 10)
- smb_sniffer module question Nicolas RUFF (Dec 18)
- smb_sniffer module question Luke J (Dec 10)
- smb_sniffer module question Daniel Rebsdorf (Dec 10)
- smb_sniffer module question Nicolas RUFF (Dec 13)
- smb_sniffer module question Luke J (Dec 11)