[framework] smb_sniffer module question
H D Moore
hdm at metasploit.com
Sun Dec 10 12:55:32 CST 2006
There is a difference between a login request between a client and a
trusted server and an inbound request to the smb_sniffer service. Windows
XP and 2003 will not blindly send password hashes to smb_sniffer (unlike
NT 4.0, 2000. and Win9x). There are some configurations where the client
will send these hashes anyways, but this will result in a much smaller
number of captures when used against a XP/2003 network. Additionally, the
smb_sniffer code only handles NTLMv1 authentication -- any client
configured to do NTLMv2 only will not send a valid password hash to the
smb_sniffer module.
-HD
On Sunday 10 December 2006 04:35, Luke J wrote:
> In addition, I have been testing sniffing with Cain to intercept the
> LM/NTLM challenge/response hashes as they are sent to smb_sniffer.
> However, it seems to have real difficult picking them up. Often it
> doesn't detect them at all. However, it is very reliable when sniffing
> LM/NTLM connections to an actual windows box. Anybody know if this is a
> problem with smb_sniffer?
More information about the framework
mailing list