Results 1 to 10 of 16

Thread: Passing the hash for SMB shares

Hybrid View

  1. #1
    Just burned his ISO
    Join Date
    Apr 2006
    Posts
    13

    Default Passing the hash for SMB shares

    Maybe you have heard about it since there is a little hype about it right now.

    Here's a short description of what passing the hash is all about:
    When you normally log in to a SMB share you have to enter your username/password combination.
    But the good thing is, you do not have to know the password when you know the password hash. That means you can log in to any SMB share where you do know the username/passwordhash combination.

    The main advantage is that Rainbow Tables for LM/NTLM hashes become redundant. You do not have to know the password.

    How does it work?
    To authenticate to a SMB share, the Samba client/Windows only uses the password hash but not the password, so all that has to be done is use a modified SMB client which takes the passwordhash.

    In summary all that is needed is a modified Samba client which uses username/passwordhash combination instead of username/password cominations!
    A modified Samba client can be found here:
    foofus.net/jmk/passhash.html

    More information on LM/NTLM authentication can be found here:
    heise-security.co.uk/articles/75235

    A SMB proxy can be found here:
    cqure.net/wp/?page_id=11

    For Windows, the passwordhash is changed using dll injection:
    oss.coresecurity.com/projects/pshtoolkit.htm
    hexale.blogspot.com
    truesecurity.se/blogs/murray/default.asp

  2. #2
    Just burned his ISO
    Join Date
    Apr 2006
    Posts
    13

    Default

    I've recently tried it and it worked!
    I just patched the samba source with the patch available here:
    foofus.net/jmk/passhash.html

    So it should not be to much work to include this in the next version but it would be a great new feature.

  3. #3
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    Cool will have to test this out sometime.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  4. #4
    Junior Member
    Join Date
    Apr 2006
    Posts
    33

    Default

    but how do u find the password hash?

    (im learning)

  5. #5
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    Sniff some network traffic, boot a system with a Linux CD and get a SAM extract, etc...
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  6. #6
    Just burned his ISO
    Join Date
    Apr 2006
    Posts
    13

    Default

    Quote Originally Posted by thorin View Post
    Sniff some network traffic, boot a system with a Linux CD and get a SAM extract, etc...
    No you cannot get the hash from network traffic. See heise-security.co.uk/articles/75235 for more details.

    The passing the hash technique becomes usefull when the administrator of your LAN has the same account on every machine so that he can remotely administer these machines. You are sitting on one of these machines and run pwdump or something like that....

  7. #7
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    Quote Originally Posted by hattrick View Post
    but how do u find the password hash?

    (im learning)
    A book I read a little while back explained it well:

    Sniff the traffic on 139 and/or 445. The challenge is 0x72 and the response is 0x73 @ byte 28

    tcpdump -nes 0 -w <file> tcp[28]=0x72 or tcp[28]=0x73 or tcp[40]=0x72 or tcp[40]=0x73
    dd if=/dev/swc666 of=/dev/wyze

  8. #8
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •