Pass-the-hash question

Viewing 11 reply threads
  • Author
    • #4415

      Is it possible to use a sniffed hash for a connection between Windows XP station and Windows 2003 domain controller in pass-the-hash technique?

      Or it is possible only if one used a tool like pass-the-hash tool kit on the Windows XP station, or had it authenticate to a station that is running metasploit smb module?


    • #27807

      as long as you have a utility that will pass-the-hash, I’m pretty sure you can use the proper hash no matter where you got it from.

    • #27808

      Thank you BillV.

      I tried the sniffed hash with metasploit and and smbshell but it did not work. So I’m guessing it works only with pass-the-hash tool kit I have to try it with this tool though before I conclude.

      Here is my environment if that can help.

      I have one domain one (Name DC) workstation connect to the domain (Named W1) and one workstation that is in workgroup (s1). I also have an ubuntu version running metasploit 3.3rc1 and nessus 4.

      I have cain and able installed on s1 and use it to sniff connections between DC and W1 and also between W1 and s1. The hashes I sniffed I used in metasploit and smbshell as mentioned before, but with not luck.

      I tried running smb module in metasploit and had s1 connect to it via URL link with image source set as \ubuntuimagetrick.gif. But I did not capture anything when I open the html page from s1.

      Any idea? Did I do anything wrong?

      Thanks in advance for the help.

    • #27809

      This is capture I have gathered using smb module from s1

      msf auxiliary(smb) > run
      [*] Auxiliary module execution completed

      [*] Server started.
      msf auxiliary(smb) > [*] Captured victim LMHASH:000000000000000000000000000000000000000000000000 NTHASH:e4c33d3f1f2ef7952138d27242654f7a010100000000000029a52bd3b164ca013e2d8eb406b3f0d400000000020000000000000000000000 OS: LM:
      [*] Captured victim LMHASH:000000000000000000000000000000000000000000000000 NTHASH:3a453950d098e9b59f88eaa5628bee520101000000000000f9ea2fd3b164ca0112a09ea79a0a637900000000020000000000000000000000 OS: LM:
      [*] Captured victim LMHASH:000000000000000000000000000000000000000000000000 NTHASH:95782ca14bd78a4c70be953811709d71010100000000000098bb33d3b164ca01ae0245df301f235500000000020000000000000000000000 OS: LM:
      [*] Captured victim LMHASH:000000000000000000000000000000000000000000000000 NTHASH:8ea08aa689958a547540711096d14aee0101000000000000680138d3b164ca0190afd31a5d8b575a00000000020000000000000000000000 OS: LM:
      [*] Captured victim LMHASH:000000000000000000000000000000000000000000000000 NTHASH:aec3bb6e5d2f6f12bd83c0ef46a9e139010100000000000069bc3cd3b164ca015948d33cd527cce100000000020000000000000000000000 OS: LM:
      [*] Captured victim LMHASH:000000000000000000000000000000000000000000000000 NTHASH:1ded841a3d184703ef5b115de99d8b3001010000000000004a2941d3b164ca0153d0e59769fe94de00000000020000000000000000000000 OS: LM:
      [*] Captured victim LMHASH:000000000000000000000000000000000000000000000000 NTHASH:e8b28d52e979c73f8ef6e8d6dd00ec120101000000000000094845d3b164ca016abaf5dd251d583700000000020000000000000000000000 OS: LM:

      You can see that for the same session (loading one page once) I gathered multiple NTLM hash values. And these values need “some processing” before getting the real NTLM hash

    • #27810

      I believe you are talking about three different scenarios and each works differnetly.

      1. Sniffing – When sniffing the authentication between two machines there is a “challenge” value used. If you don’t know this value you won’t be able to use the hash.

      2. MSF SMB – This uses a static hash on the client (the metasploit box) so the hash can be retrieved. MSF handles this for you and you can use these hashes in the pash the hash attack.

      3. Dump – These hashes can be used for hash the hash

      So that explains why your sniffing didn’t work.

      I don’t know why your \ubuntublahblah didn’t work. If you “ping ubuntu” from the other machine does it work? My assumption is that it can’t resolve “ubuntu” and fails before it even tries to connect.

    • #27811

      Thanks so much timmedin for the detail explanation.

      In my previous post, I posted a capture I gathered from msf smb module. What I did to the html page to make it work is that I change the img url to this

      But as you can see from the capture LM is not used at all. NTLM hash is much longer than the usual. I’m not sure if there is further tweaks needs to be done to the hash to make it usable, or if it can’t be used at all.

      Any idea?


    • #27812

      1. Sniffing – When sniffing the authentication between two machines there is a “challenge” value used. If you don’t know this value you won’t be able to use the hash.

      How hard/easy it is for an attacker to guess/crack the challenge? What if both the workstation and the server only supports NTLM or only NTLMv2?


    • #27813

      Did you try using Cain & Abel or Opht to crack it? Since you have the password hash that is “encrypted” with the challenge you can’t use it in a pash the hash attack. You need just the password hash to use it in the pash the hash attack.

    • #27814

      Here is the blog post from on the subject.

    • #27815

      Thanks much timmedin. Incidentally I was reading the post you kindly provided a link to.

      This is my understanding on the subject. Cracking a sniffed challenge-response hash to get the password hash is not an easy task (time wise) when the challenge key is not known. If the challenge key is known, the process will be much easier. This is however if LM/NTLM challenge-response is sniffed, however if NTLMv2 is sniffed, it will be extremely hard to do.

      Thanks a lot timmedin for all your help in this post.

    • #27816

      If you get bored, I have some stuff on capturing challenge hashes and having fun with them in my presentation at; Basically, if you have a static challenge for NTLMv1 auth, then you haven’t really increased complexity of cracking the password by very much.  The reason for this is for NTLMv1 only the server sets a challenge.  In NTLMv2 then both the client and the server have set a challenge and so it almost makes it impossible to use any sort of time-tradeoff method such as rainbow tables to crack the password.  You are left with brute force.  The two challenges don’t increase the complexity significantly over having a single random challenge, but it does mean that having control over one of the challenges will not help you much.  Turning off LM also increases the complexity of cracking NTLMv1 challenge/response as you are left having to crack a whole hash instead of with the LM portion of NTLMv1 you can perform an attack known as a half-lm challenge attack which will get you the first 8 characters of the password a lot faster, and then allow you to only brute force the last X characters of the password.  If the password is < 11 characters, the time isn't significant.  Passwords over 11 characters still require a fair amount of time, and it goes up exponentially as you add characters. 

      Anyway, hope this helps some.

    • #27817

      Very informative Ryan, thank you so much!

Viewing 11 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.


Sign in with Caendra

Forgot password?Sign up

Forgot your details?