Metasploit mailing list archives
Re: Metasploit 3.8.0-dev.13016
From: Dan Jenkins <k1dlr01 () yahoo com>
Date: Fri, 1 Jul 2011 10:20:12 -0700 (PDT)
--- On Fri, 7/1/11, Dan Jenkins <k1dlr01 () yahoo com> wrote: From: Dan Jenkins <k1dlr01 () yahoo com> Subject: Re: [framework] Metasploit 3.8.0-dev.13016 To: "Jose Selvi" <jselvi () pentester es> Date: Friday, July 1, 2011, 10:17 AM Thanks That explains why I did not get ANY NTLMv1 data - our target machines do NOT allow V1 traffic - only V2. I will have to figure out the difference in the JTR format and the CAIN format and PERL out the files to C&A. JTR is faster but C&A is still a super useful tool. --- On Thu, 6/30/11, Jose Selvi <jselvi () pentester es> wrote: From: Jose Selvi <jselvi () pentester es> Subject: Re: [framework] Metasploit 3.8.0-dev.13016 To: framework () spool metasploit com Date: Thursday, June 30, 2011, 10:06 PM Sorry, convert JTR to Cain&Abel (copy&paste mistake). Regards. El 01/07/11 00:16, Jose Selvi escribió:
From module's code:
if(datastore['CAINPWFILE'] and smb[:username]) if ntlm_ver == NTLM_CONST::NTLM_V1_RESPONSE then fd = File.open(datastore['CAINPWFILE'], "ab") fd.puts( [ smb[:username], smb[:domain] ? smb[:domain] : "NULL", @challenge.unpack("H*")[0], lm_hash ? lm_hash : "0" * 48, nt_hash ? nt_hash : "0" * 48 ].join(":").gsub(/\n/, "\\n")
)
fd.close end endIt seems that only NTLMv1 challenge-response is stored in Cain&Abel format. I can't remember, but I think I read a few time ago that NTLMv2 importing or cracking was not supported by Cain & Abel, so this output format wasn't generated for NTLMv2. You can recode de module for acceping it, or simply use awk (or similar) to convert JTR format to CHEMA.
-- Jose Selvi. Security Technical Consultant CISA, CISSP, CNAP, GCIH, GPEN http://www.pentester.es SANS Mentor in Madrid (Spain). September 23 - November 25 SEC560: Network Penetration Testing and Ethical Hacking http://www.sans.org/mentor/details.php?nid=24133 http://www.pentester.es/2010/12/nuevo-grupo-y-descuento-para-network.html _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Re: Metasploit 3.8.0-dev.13016 Dan Jenkins (Jul 01)
- <Possible follow-ups>
- Re: Metasploit 3.8.0-dev.13016 Kurt Grutzmacher (Jul 01)