[framework] smb_sniffer module question

Luke J 0xlukej at gmail.com
Mon Dec 11 03:13:25 CST 2006 

Hi Andres,

Thanks for the info. I looked at your presentation and it looks
interesting and I will give your tools a try. I never knew there were
any publicly available tools to play with tokens. Hopefully they don't
do everything I intended mine to do though, otherwise I have wasted my
time haha :). Even if it does though, I think it would excellent to
integrate this sort of stuff into the meterpreter.

Cheers,

Luke

Andres Tarasco wrote:
> Hi luke,
> 
> I have already coded some tools that performs something like that. Take a
> look to The Token Thieffer and namedpipes tools available at
> http://www.514.es/2006/10/exploiting_win32_design_flaws.html
> 
> namedpipes is also able to inject payloads like lnk or desktop.ini files
> into remote smb shares. Those payloads  allows you to force remote network
> connections and steal smb hashes or to use smbrelay to connect to third
> part
> servers.
> 
> By the way, tokens stolen in that way will only allow you to connect to
> network servers if the user has been authenticated locally (like services
> running with a domain account) or if the server is delegated for
> authentication (for example smb servers where files are stored with EFS)
> 
> Anyway, is really usefully for pentests to acquire domain credentials.
> 
> regards,
> 
> Andres Tarasco
> 
> 
> 
> 
> 
> 
> 2006/12/10, Luke J <0xlukej at gmail.com>:
>>
>> Heya,
>>
>> I've been writing a tool for utilising windows access tokens once a box
>> has been compromised. One of the first things I have made it do is to
>> connect to a remote IP whilst impersonating each access token in turn,
>> in order to obtain password hashes for accounts that might be domain
>> accounts.
>>
>> It is working fine but I was wondering if the smb_sniffer output format
>> was intended for any particular cracking software. As far as I am aware,
>> John doesn't have the ability to crack challenge/response hashes and I
>> don't think you import them directly into Cain either (though there is
>> the possibility I could be wrong on both counts!!!).
>>
>> I could run a packet sniffer and feed the pcap file into Cain but I
>> figured that the output format of smb_sniffer might have been intended
>> for some cracking software in particular but couldn't find any
>> information on it. Can anyone help?
>>
>> Cheers,
>>
>> Luke
>>
> 
> 
>

More information about the framework mailing list