Hi all.

I have read that windows 2003 server supports LM authentication for backward compatibility with older windows machine. In my lab setup, i have windows 2003 server, backtrack r4, and windows 98 and windows xp. Now the communication is genuine between 2003 server and windows xp but i need to redirect 2003 authentication to windows 98 so that passwords are sent in lm hashes rather than ntlm. This is hypothetical at this point. Before actually doing this setup, i just need to know am i thinking in the right direction ? can i sniff lm hashes using this way ?

Agree with Jamie, if you find a Windows 98 system still in a production environment there are many things you can do to it that are probably much easier than having to dump hashes.  Shoot if password caching is enabled, I think Win98 stores them in plaintext. 

You're average environment will be Windows 2003, Windows XP SP2/SP3.  You will also see more Windows 2008 boxes.  What you should also try and add to the lab is a Windows 7 system.  Eventually enterprises will have to move to it and many are gearing up for that move.  They will either go physical migrations or possibly using VDI solutions so they can maintain their legacy apps on XP. 

Is this in your own lab? Are you just trying to sniff LM passwords? If so, why don't you just change the box to allow LM hashes? http://technet.microsoft.com/en-us/library/cc738867(WS.10).aspx

If you're practicing port forwarding, just use something like this: http://www.quantumg.net/portforward.php