Pass the hash

From: me <deros68@xxxxxxxxx>
Date: Thu, 15 Nov 2007 14:15:21 -0800 (PST)

I have an email hack that sends the Windows
credentials, without the user's knowledge or consent,
to my box - which is running CAIN.

No machine in my shop will send (downgrade
authentication) LM or NTLMv1 -- only NTLMv2 -- which
is NTLMSSP . Using CAIN I can get the suite of NTLMSSP
hashes but I cannot pass them on or crack them via
brute force. Since these hashes are not the same as
the hashes from the SAM - I cannot pass them directly
to a RAINBOW NTLM table attack.

Before I turn over the email hack to the email vendor,
I would like very much to have a POC that either
passes the hash or a better cracker than using a
dictionary.

It seems to me that the only viable hack is to somehow
create a MITM situation where the authentication from
my email hack is used to access some network resource
(share) on a target machine where I know the email
victim can access the resource via these credentials.

I am hoping Metasploit or CAIN will do this one day
and I know that Metasploit will pass the hash when it
is not an NTLMv2 hash.

Any other ideas that will leverage the hashes that I
can gather - I have gathered my own hashes and
verified that a CAIN dictionary attack will accurately
match up a password to a hash (in other words the CAIN
dictionary cracker works fine). I think that by using
a very large dictionary and using all of the CAIN
dictionary options I could probably crack 2-3
passwords from 200 hashes.

thanks

____________________________________________________________________________________
Be a better sports nut! Let your teams follow you
with Yahoo Mobile. Try it now. http://mobile.yahoo.com/sports;_ylt=At9_qDKvtAbMuh1G1SQtBI7ntAcJ

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

Follow-Ups:
- RE: Pass the hash
  - From: dan
- RE: Pass the hash
  - From: Shenk, Jerry A

Prev by Date: Re: What does a network having all identical MAC addresses mean?
Next by Date: Re: What does a network having all identical MAC addresses mean?
Previous by thread: What does a network having all identical MAC addresses mean?
Next by thread: RE: Pass the hash
Index(es):
- Date
- Thread

Relevant Pages

RE: Pass the hash
... Subject: Pass the hash ... I have an email hack that sends the Windows ... Using CAIN I can get the suite of NTLMSSP ... Since these hashes are not the same as ...
(Pen-Test)
cracking sniffed hashs issue
... I installed a sniffer (cain) in the lan and captured ... the second part is NT hash it also shows nt challenge ... that the type is NTLM session security and for the ... to paste those hashes in plain-text.info but it tells ...
(Pen-Test)
Password hashs issue
... I installed a sniffer (cain) in the lan and captured ... the second part is NT hash it also shows nt challenge ... that the type is NTLM session security and for the ... to paste those hashes in plain-text.info but it tells ...
(Security-Basics)
RE: Password hashs issue
... The thing is that cracking the hashes with Cain will ... the second part is NT hash it also shows nt ... that the type is NTLM session security and for the ...
(Security-Basics)
RE: Pass the hash
... I prefer the hash under glass ... I think either technique works well with both ... I have an email hack that sends the Windows credentials, ... I can get the suite of NTLMSSP hashes but I cannot pass them on or crack ...
(Pen-Test)