Superimposing Nothing Nowhere

The internet is littered with wastes of space. This one is no different except that it is my waste of space.

Showing posts with label rainbow tables. Show all posts
Showing posts with label rainbow tables. Show all posts

Tuesday, April 24, 2007

NTLMv1, Metasploit and You

In Metasploit 2.7 there existed a moduled called "smb_sniffer" that listened as a Windows SMB server, responded to negotiations with a preset challenge and forced crypto to NTLMv1. When I asked the devs about it they said it was for "future purposes."

That future purpose is now documented!

Step 1 - Download my slightly updated version from here and place it in your exploits/ directory.

Step 2a - Run it with root privs on a UNIX host (doesn't work on Windows, sorry).
Step 2b - Have a Windows machine connect to your "share" - they will get an access denied but stuff like will work.


Step 3 - Send the hashes to Cain & Abel for cracking or cryptanalysis! Obtain the HALFLMCHALL tables from FreeRainbowCrack.Com or run a brute force, dictionary, hybrid, etc.


Step 4 - Success!


One caveat -- the half-lm challenge table only does the first 7 characters of LANMAN. You still have to brute force the last 7 and if the user's password is greater than 14 characters, you're really out of luck.

Enjoy! :)

at 8:56 PM 2 comments Links to this post

Labels: , , ,

Subscribe to: Posts (Atom)