Password HASH mystery
Well i used metasploit and the server/capture/smb to get a password HASH on one of my computers. It seemed to work great the log file had the correct user name and the LM hash and NT hash were all there.
So i put this in john the ripper with a dictionary attack in side the dictionary i put the password ( since this was my computer i knew what it was) so i could test it out. It ran through the list and Nothing Hmmmm
So next i loaded Cain onto my other computer and grabbed the password HASH and to my surprise the password hashes that metasploit grabbed and the Hash that Cain grabbed are both completely different.
I was wondering if any one knows why this is.
If this helps anyone this is the out put from metasploit
MERLIN-TOWER:192.168.2.26:<NULL>:<NULL>:Windows 2002 Service Pack 3 2600:<NULL>:<NULL>:Mon Jul 21 20:55:19 +0000 2008
MERLIN-TOWER:192.168.2.26veride:MERLIN-TOWER:Windows 2002 Service Pack 3 2600:b94c1ccc82fdf4cb285b2c1636b3e72bd536c288ba557 57f:b9f18d934f9a3d21cc9fb562e21ea99aa61bfa0671ea5f c8:
and here is the actual hash off the computer
ass you can see clearly they dont match
has anyone else had this problem or tryed to do this.
I was asked to post this for merlin due to the fact he doesnt have enough posts for a link.
To get the smb_sniffer to work in metasploit download the updated/mod version from the link it makes an extra filed that saves a Password log. This can then be imported in cain and cracked. Tested it my self it works great.
Default Password HASH mystery
This is because you will notice what when you use the smb_sniffer.pm module.. That you are appending a "challenge" string to the mix.. I am trying to figure out this very thing. You see the HASH over the network is not the same as the HASH exported from say CAIN (LSA)..
Does anyone know of a way to "apply" the challenge to a NT LM hash and get the output? Or a better question would be does anyone know what the algorithm is for computing the challenge + hashes? I could write something but I have a client that I am trying to level this against and time is of the essence.
I gave a shot with that capture smb autentication from runnin the metasploit smb_sniffer exploit but wht u get when some1 is connecting to u are the HALFLM challenge autentication type of hash so if u use Cain and Able try that type of hash ... no idea on wht to do with Jtr