[framework] smb_sniffer module question

Andres Tarasco atarasco at gmail.com
Mon Dec 11 01:49:46 CST 2006 

Hi luke,

I have already coded some tools that performs something like that. Take a
look to The Token Thieffer and namedpipes tools available at
http://www.514.es/2006/10/exploiting_win32_design_flaws.html

namedpipes is also able to inject payloads like lnk or desktop.ini files
into remote smb shares. Those payloads  allows you to force remote network
connections and steal smb hashes or to use smbrelay to connect to third part
servers.

By the way, tokens stolen in that way will only allow you to connect to
network servers if the user has been authenticated locally (like services
running with a domain account) or if the server is delegated for
authentication (for example smb servers where files are stored with EFS)

Anyway, is really usefully for pentests to acquire domain credentials.

regards,

Andres Tarasco






2006/12/10, Luke J <0xlukej at gmail.com>:
>
> Heya,
>
> I've been writing a tool for utilising windows access tokens once a box
> has been compromised. One of the first things I have made it do is to
> connect to a remote IP whilst impersonating each access token in turn,
> in order to obtain password hashes for accounts that might be domain
> accounts.
>
> It is working fine but I was wondering if the smb_sniffer output format
> was intended for any particular cracking software. As far as I am aware,
> John doesn't have the ability to crack challenge/response hashes and I
> don't think you import them directly into Cain either (though there is
> the possibility I could be wrong on both counts!!!).
>
> I could run a packet sniffer and feed the pcap file into Cain but I
> figured that the output format of smb_sniffer might have been intended
> for some cracking software in particular but couldn't find any
> information on it. Can anyone help?
>
> Cheers,
>
> Luke
>



-- 
Andres Tarasco
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://spool.metasploit.com/pipermail/framework/attachments/20061211/b54f8fa7/attachment.htm

More information about the framework mailing list