Hi,

I put a sniffer in our windows AD domain as part of a security audit ,I was able to sniff a user that is authenticating to the proxy server.

I wanted to try to find the password but It seems I cant figure out if its lm Ntlm or kerberus or ? id doesent look like lm or ntlm am I wrong?

I capture it using etthercap from backtrack 4.2 , here is what I capture:

HTTP : 172.25.32.101:8080 -> USER: mranol PASS: (NTLM) mranol:"":"":5c6802e93ccfdab1000000000000000000000 00000000000:f82969f3363ca76f7bd7ba2b81c6ca7308d6cb 44c25451a3:9545bb3fbc34ceba

INFO: Proxy Authentication

HTTP : 172.25.32.101:8080 -> USER: mranol PASS: (NTLM) mranol:"":"":d3a3f5b3c9b131d7000000000000000000000 00000000000:5f051c848e150d53a17881b55154a76b08beb6 614e6d577f:d4fa1dafe981696a


any ideas which algortihm are beaing used?

thanks a lot ,