Penetration Testing mailing list archives
RE: Pass the hash
From: <dan () inphoworx com>
Date: Fri, 16 Nov 2007 11:29:24 -0500
Are we talking black tar or blonde Lebanese? I prefer the hash under glass technique although it's easier to share if you just sprinkle it over a bowl of weed and pass it around. I think either technique works well with both Windows and Unix/Linux environments. Although I do think the second technique is pretty much required when working with a tiger team of "rogue IT" specialists. I will say that the down side to either technique seems to be a degradation of project planning and logistics. Regards, Daniel T. Jerome President InphoWorx, LLC Secure Technology Solutions -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of me Sent: Thursday, November 15, 2007 5:15 PM To: pen-test () securityfocus com Subject: Pass the hash I have an email hack that sends the Windows credentials, without the user's knowledge or consent, to my box - which is running CAIN. No machine in my shop will send (downgrade authentication) LM or NTLMv1 -- only NTLMv2 -- which is NTLMSSP . Using CAIN I can get the suite of NTLMSSP hashes but I cannot pass them on or crack them via brute force. Since these hashes are not the same as the hashes from the SAM - I cannot pass them directly to a RAINBOW NTLM table attack. Before I turn over the email hack to the email vendor, I would like very much to have a POC that either passes the hash or a better cracker than using a dictionary. It seems to me that the only viable hack is to somehow create a MITM situation where the authentication from my email hack is used to access some network resource (share) on a target machine where I know the email victim can access the resource via these credentials. I am hoping Metasploit or CAIN will do this one day and I know that Metasploit will pass the hash when it is not an NTLMv2 hash. Any other ideas that will leverage the hashes that I can gather - I have gathered my own hashes and verified that a CAIN dictionary attack will accurately match up a password to a hash (in other words the CAIN dictionary cracker works fine). I think that by using a very large dictionary and using all of the CAIN dictionary options I could probably crack 2-3 passwords from 200 hashes. thanks ____________________________________________________________________________ ________ Be a better sports nut! Let your teams follow you with Yahoo Mobile. Try it now. http://mobile.yahoo.com/sports;_ylt=At9_qDKvtAbMuh1G1SQtBI7ntAcJ ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------ No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.503 / Virus Database: 269.15.33/1132 - Release Date: 11/15/2007 9:34 AM No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.503 / Virus Database: 269.15.33/1132 - Release Date: 11/15/2007 9:34 AM ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Pass the hash me (Nov 15)
- RE: Pass the hash dan (Nov 16)
- RE: Pass the hash Shenk, Jerry A (Nov 16)
- RE: Pass the hash jmk (Nov 18)