Results 1 to 6 of 6

Thread: Password HASH mystery

  1. #1
    Just burned his ISO
    Join Date
    Jul 2008
    Posts
    9

    Default Password HASH mystery

    Well i used metasploit and the server/capture/smb to get a password HASH on one of my computers. It seemed to work great the log file had the correct user name and the LM hash and NT hash were all there.
    So i put this in john the ripper with a dictionary attack in side the dictionary i put the password ( since this was my computer i knew what it was) so i could test it out. It ran through the list and Nothing Hmmmm
    So next i loaded Cain onto my other computer and grabbed the password HASH and to my surprise the password hashes that metasploit grabbed and the Hash that Cain grabbed are both completely different.
    I was wondering if any one knows why this is.

  2. #2
    Just burned his ISO
    Join Date
    Jul 2008
    Posts
    9

    Default

    If this helps anyone this is the out put from metasploit
    MERLIN-TOWER:192.168.2.26:<NULL>:<NULL>:Windows 2002 Service Pack 3 2600:<NULL>:<NULL>:Mon Jul 21 20:55:19 +0000 2008
    MERLIN-TOWER:192.168.2.26veride:MERLIN-TOWER:Windows 2002 Service Pack 3 2600:b94c1ccc82fdf4cb285b2c1636b3e72bd536c288ba557 57f:b9f18d934f9a3d21cc9fb562e21ea99aa61bfa0671ea5f c8:

    and here is the actual hash off the computer
    overide:"":"":01FC5A6BE7BC6929AAD3B435B51404EE:0CB 6948805F797BF2A82807973B89537

    ass you can see clearly they dont match
    has anyone else had this problem or tryed to do this.

  3. #3
    Developer
    Join Date
    Mar 2007
    Posts
    6,124

    Default

    http://grutztopia.jingojango.net/200...t-and-you.html

    I was asked to post this for merlin due to the fact he doesnt have enough posts for a link.

  4. #4
    Just burned his ISO
    Join Date
    Jul 2008
    Posts
    9

    Default

    To get the smb_sniffer to work in metasploit download the updated/mod version from the link it makes an extra filed that saves a Password log. This can then be imported in cain and cracked. Tested it my self it works great.

  5. #5
    Just burned his ISO
    Join Date
    Sep 2007
    Posts
    2

    Default Default Password HASH mystery

    This is because you will notice what when you use the smb_sniffer.pm module.. That you are appending a "challenge" string to the mix.. I am trying to figure out this very thing. You see the HASH over the network is not the same as the HASH exported from say CAIN (LSA)..


    Does anyone know of a way to "apply" the challenge to a NT LM hash and get the output? Or a better question would be does anyone know what the algorithm is for computing the challenge + hashes? I could write something but I have a client that I am trying to level this against and time is of the essence.

    ril3y

  6. #6
    Junior Member
    Join Date
    Aug 2007
    Posts
    63

    Default

    I gave a shot with that capture smb autentication from runnin the metasploit smb_sniffer exploit but wht u get when some1 is connecting to u are the HALFLM challenge autentication type of hash so if u use Cain and Able try that type of hash ... no idea on wht to do with Jtr

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •