From: dan@inphoworx.com
Date: Fri Nov 16 2007 - 11:29:24 EST
Are we talking black tar or blonde Lebanese? I prefer the hash under glass
technique although it's easier to share if you just sprinkle it over a bowl
of weed and pass it around. I think either technique works well with both
Windows and Unix/Linux environments. Although I do think the second
technique is pretty much required when working with a tiger team of "rogue
IT" specialists. I will say that the down side to either technique seems to
be a degradation of project planning and logistics.
Regards,
Daniel T. Jerome
President
InphoWorx, LLC
Secure Technology Solutions
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of me
Sent: Thursday, November 15, 2007 5:15 PM
To: pen-test@securityfocus.com
Subject: Pass the hash
I have an email hack that sends the Windows credentials, without the user's
knowledge or consent, to my box - which is running CAIN.
No machine in my shop will send (downgrade
authentication) LM or NTLMv1 -- only NTLMv2 -- which is NTLMSSP . Using CAIN
I can get the suite of NTLMSSP hashes but I cannot pass them on or crack
them via brute force. Since these hashes are not the same as the hashes
from the SAM - I cannot pass them directly to a RAINBOW NTLM table attack.
Before I turn over the email hack to the email vendor, I would like very
much to have a POC that either passes the hash or a better cracker than
using a dictionary.
It seems to me that the only viable hack is to somehow create a MITM
situation where the authentication from my email hack is used to access some
network resource
(share) on a target machine where I know the email victim can access the
resource via these credentials.
I am hoping Metasploit or CAIN will do this one day and I know that
Metasploit will pass the hash when it is not an NTLMv2 hash.
Any other ideas that will leverage the hashes that I can gather - I have
gathered my own hashes and verified that a CAIN dictionary attack will
accurately match up a password to a hash (in other words the CAIN dictionary
cracker works fine). I think that by using a very large dictionary and
using all of the CAIN dictionary options I could probably crack 2-3
passwords from 200 hashes.
thanks
____________________________________________________________________________
________
Be a better sports nut! Let your teams follow you with Yahoo Mobile. Try it
now. http://mobile.yahoo.com/sports;_ylt=At9_qDKvtAbMuh1G1SQtBI7ntAcJ
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.503 / Virus Database: 269.15.33/1132 - Release Date: 11/15/2007
9:34 AM
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.503 / Virus Database: 269.15.33/1132 - Release Date: 11/15/2007
9:34 AM
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:13 EDT