Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Can someone help me with my lab scenario please...

From: "Patrick MacDanel" <pmacdanel () pntech net>
Date: Sun, 13 Oct 2002 23:47:27 -0500
Greetings to all:
 
    I am having a tough time trying to import win2k/winXP sniffed challenge/response logins into various cracking 
programs. My lab scenario is a windows 2000 advanced server SP3 and a windows XP pro workstation. I am successfully 
logging onto a server share ( not domain login ) from the XP client and capturing the challenge/response. Because it is 
a 2K/XP non-domain login ( no kerberos right ? ), I am assuming that I am dealing with ntlmv2 challenge response 
hashes. I looked over the power point presented at black hat by urity on cracking ntlmv2 and decided to try the two 
tools mentioned in the paper. 
 
I used scoopLM running on the server to grab the challenge/response ok and imported it into beatLM in order to try and 
brute force it. BeatLM documentation says it can brute ntlmv1 and v2. The problem is that when I go to run either the 
dic attack or the brute force attack, It never starts... it just says 'search complete'. Further, in the  "length" 
field  column of the cracker it says "ntlmv1" ?? I then assumed that maybe I was wrong about the hash versions and it 
was ntlmv1or there was some other problem with the program so I switched to ettercap for windows and sniffed the 
challenge response ok and imported it into LC4 under the LC2.5 format (the way ettercap saves ntlm hashes) . Well now 
it does the same thing,  and there is no data shown in the challenge field ??, just all zero's in the ntlm hash and lm 
hash fields ( I think this is normal  b/c it is a challenge response sniff). My  next attempt was just to use the built 
in smb capture of LC4. I started the packet capture and successfully logged into the server share, but nothing was 
recorded in the capture ! (I tried this over many times). Can someone please tell me where I am going wrong. I have 
spent over 25 hours on just trying to get started. I am especially disappointed that I cannot use beatLM, the paper on 
ntlmv2 and the program looked so promising.....If someone knows how to properly use those two utilities please let me 
know.....
 I have included below the exact test data as I imported it if you wish to look at it:
 
the login is admintest 
the password is hill99
 
ScoopLM capture, saved as a .csv file:
Server,Client,Account,Result,Challenge,"LM response","NTLM response"
192.168.1.250,192.168.1.101,admintest\KDENISEVIGEE,OK,778f3ecf8bc1ba45,06062b0601050502a0483046a00e300c060a2b0601040182,3702020aa23404324e544c4d535350000100000097b208e0
 
ettercap capture, saved as a .lc file (lopht 2.5 format) : 
USER:3:778f3ecf8bc1ba45:06062b0601050502a0483046a00e300c060a2b0601040182:3702020aa23404324e544c4d535350000100000097b208e0
 
 
Thanks,
 
Patrick S. MacDanel II
P&N Technologies
Previous By Date Next
Previous By Thread Next

Current thread: