[framework] smb_sniffer module question
Nicolas RUFF
nicolas.ruff at gmail.com
Tue Dec 19 01:06:03 CST 2006
Hello,
> Ahh I see. I have never used l0phtcrack for the very reason of it being
> commercial. Cain is the only cracking app I know of....unless maybe
> there is a patch for john kicking around.
The "biggest" john patch I am aware of is the following:
http://www.banquise.net/misc/patch-john.html
And it is missing Windows challenge/response mechanisms.
Apart from Cain and LCP, the following tool is also able to crack
LM/NTLM challenge/response:
http://www.toolcrypt.org/tools/t2bf/index.html
A "lightweight" Open Source implementation of those protocols can be
found here:
http://www.groar.org/groar/titi/
And if you are interested in the difference between NTLM and NTLMv2:
http://www.microsoft.com/technet/technetmag/issues/2006/08/SecurityWatch/?topics=y
> Are you referring to domain based logins? I was referring to standard
> authenticated requests to the NetBIOS Session Service much like might
> occur when accessing shares that require authentication. I am far from
> an expert in windows networking but I was under the impression that they
> differ.
>
> Modern windows systems connect to trusted DC's with a machine password
> to secure the channel and I would understand that stopping smb_sniffer
> from working well with Windows XP and 2003. [...]
Modern Windows (>= Windows 2000) use Kerberos5 for domain
authentication. It is *way* different from traditionnal LM/NTLM
protocols, even if Microsoft implementation of Kerberos5 reuses NTLM
hash as the master secret.
That's not to say there is nothing to do with it:
http://ntsecurity.nu/toolbox/kerbcrack/
If your computer is joined to a domain, LM/NTLM are used in 2 cases:
- The shared resource you are connecting to is not in a "trusted" domain
(that could mean a workgroup, too).
- The "Principal Name" of the resource cannot be acquired. This is
typically the case when you "net use \\IP_address" and "IP_address" does
not resolve as a fully qualified domain name.
For example, if "IP_address" resolves as "NETBIOS_NAME" (because WINS is
configured as the primary name resolution source[*]), Windows will use
LM/NTLM to connect to it. If "IP_address" resolves as
"name.my.domain.com", Windows will acquire a Kerberos session ticket.
[*] http://www.bleepingcomputer.com/tutorials/tutorial52.html
Hope it helps,
- Nicolas RUFF
More information about the framework
mailing list