Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Pass the hash

From: me <deros68 () yahoo com>
Date: Thu, 15 Nov 2007 14:15:21 -0800 (PST)
I have an email hack that sends the Windows
credentials, without the user's knowledge or consent,
to my box - which is running CAIN.

No machine in my shop will send (downgrade
authentication) LM or NTLMv1 -- only NTLMv2 -- which
is NTLMSSP . Using CAIN I can get the suite of NTLMSSP
hashes but I cannot pass them on or crack them via
brute force.  Since these hashes are not the same as
the hashes from the SAM - I cannot pass them directly
to a RAINBOW NTLM table attack.

Before I turn over the email hack to the email vendor,
I would like very much to have a POC that either
passes the hash or a better cracker than using a
dictionary.  

It seems to me that the only viable hack is to somehow
create a MITM situation where the authentication from
my email hack is used to access some network resource
(share) on a target machine where I know the email
victim can access the resource via these credentials.

I am hoping Metasploit or CAIN will do this one day
and I know that Metasploit will pass the hash when it
is not an NTLMv2 hash.  

Any other ideas that will leverage the hashes that I
can gather - I have gathered my own hashes and
verified that a CAIN dictionary attack will accurately
match up a password to a hash (in other words the CAIN
dictionary cracker works fine).  I think that by using
a very large dictionary and using all of the CAIN
dictionary options I could probably crack 2-3
passwords from 200 hashes.  

thanks



      ____________________________________________________________________________________
Be a better sports nut!  Let your teams follow you 
with Yahoo Mobile. Try it now.  http://mobile.yahoo.com/sports;_ylt=At9_qDKvtAbMuh1G1SQtBI7ntAcJ

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: