Guys you can get 35% discount on the book using this code 998tweet35 through the book official web site:

http://www.wiresharkbook.com/

Valid until march 29.

This post includes great addons. I will add two addons I use:

Domain Details 2.6.5
https://addons.mozilla.org/en-US/firefox/addon/2166

ShowIP 0.8.19
https://addons.mozilla.org/en-US/firefox/addon/590

I took GSEC and working on taking CISSP. GSEC covers many of the domains the CISSP covers in greater technical details. I loved it.

Welcome to the forum kriscamaro68,

I would suggest either OSCP or CEH, with a preference to OSCP as the material and the labs are very informative and hands on. You will definitely learn a lot from it.

This is just my 2c.

Hi Dutchie,

Welcome to the forum. I'm using Ec-Council Press Series for CEH. Very useful resource, with great price. It focuses on the exam objectives so you won't find all the modules in there, only the ones that covered in the exam. They introduce the concept then give hands-on exercises, there is also a website supporting the books where you can find the tools covered as well as some white papers etc. 

Check it out:
http://www.amazon.com/s/ref=nb_sb_noss?url=search-alias%3Dstripbooks&field-keywords=Ec-Council+Press+Series%3A+Certified+Ethical+Hacker&x=0&y=0

chrisj, you don't need PWB to take WiFu.

jonas, unless you managed to run it as a scheduled task which runs with system privileges  you won't be able to dump the hash.

Dumping the hash will not work because it requires administrator rights.

Windows 7 uses NTLMv2 by default. Using Metasploit smb sniffer you will be able to get it.

But you should note that in NTLMv2 the server challenges the client and the client challenges the server this makes the process of cracking it to get the actual hash extremely hard when compared to NTLM which only uses the server challenge.

Thanks timmedin


How can you get transparent access to network without storing users' credentials somewhere?And without asking users to enter their passwords each time they want to access a resource on the network?

What the modification will do to the process?


I'm not that familiar with Linux so please don't flame me if the question sounded silly.

If a company is working in a pure Linux environment, where users will pretty much be accessing shared folders to work on files, print files, etc. How they will be able to do it without being asked for their passwords each time they want to use a resource?

Right now pass-the-hash attacks work against Windows systems, to some extent some web applications.

But what about other OS systems e.g. Linux, MAC OS. Can they be attacked using pass-the-hash attack? I know that there are no tools (that am aware off) to do such attacks against systems such as Linux, yet. But at least in theory any system that uses single-signOn can be attacked via pass-the-hash attack.

So is it safe and correct to say that pass-the-hash is possible/impossible in an environment where Linux/OS X is the only OS used?

Thank you guys for responding back.

@unsupported, the hashes are from a lab machines that are not facing the internet, but I agree with you and thanks for the tip. I know that a password that is 15 character long will not be stored as LM hash. I used one in addition to setting NoLMHash, but it puzzled me when using metasploit hashdump I get both the Lm and NTLM hashes and LM was not zeros. (Heck fgdump shows zeros on the machine itself )

@Ketchup, yes I did change the password for the testing account that was created before having NoLMhash enabled. But after having it enabled, I created a new account and the newly created account had LM hash available/stored (Not zeros).

So it seems even after enabling NoLMHash any new account needs to change its password to make sure it will not be stored in LM hash.

That's something I try to understand.

I have a domain controller and a workstation that is member of this domain.

The domain (2003 SP2) has LMCompatibilityLevel set to 4
The workstation (XP SP3) has LMCompatibilityLevel set to 3 and NoLMHash set to 1.

I logged on the workstation as a user with domain admins rights, then used a tool called mscvtl.exe to list the credentials and got the following:

DOMAIN\Administrator a0d412ed972ffe81aad3b435b51404ee:312c6174da490caeb422f3fa5a7aeer4

Using fgdump on the domain I got the following:
Administrator:500:a0d412ed972ffe81aad3b435b51404ee:312c6174da490caeb422f3fa5a7aeer4

As you can see the hashes obtained from both the domain and the workstation are the same.

I know that cached credentials are different from LM and NTLM hashes, as they are hashed with the username.

So my questions based on this:

Why the cached credentials on the workstation are exactly the same as the ones on the domain (not different from it)

Why LM is being stored on the station despite the fact the NoLMhash is set to prevent LM hash from being stored?

Thank you

Do you guys know a way to prevent a LM from being stored as part of cached credentials?

FYI,

The online material was added to the website which is great. This series is great, and the price is reasonable. (~$150 for the whole series)