Passing the hash for SMB shares

[Huegel]

Maybe you have heard about it since there is a little hype about it right now.

Here's a short description of what passing the hash is all about:
When you normally log in to a SMB share you have to enter your username/password combination.
But the good thing is, you do not have to know the password when you know the password hash. That means you can log in to any SMB share where you do know the username/passwordhash combination.

The main advantage is that Rainbow Tables for LM/NTLM hashes become redundant. You do not have to know the password.

How does it work?
To authenticate to a SMB share, the Samba client/Windows only uses the password hash but not the password, so all that has to be done is use a modified SMB client which takes the passwordhash.

In summary all that is needed is a modified Samba client which uses username/passwordhash combination instead of username/password cominations!
A modified Samba client can be found here:
foofus.net/jmk/passhash.html

More information on LM/NTLM authentication can be found here:
heise-security.co.uk/articles/75235

A SMB proxy can be found here:
cqure.net/wp/?page_id=11

For Windows, the passwordhash is changed using dll injection:
oss.coresecurity.com/projects/pshtoolkit.htm
hexale.blogspot.com
truesecurity.se/blogs/murray/default.asp

[Huegel]

I've recently tried it and it worked!
I just patched the samba source with the patch available here:
foofus.net/jmk/passhash.html

So it should not be to much work to include this in the next version but it would be a great new feature.

[thorin]

Cool will have to test this out sometime.

[hattrick]

but how do u find the password hash?

(im learning)

[thorin]

Sniff some network traffic, boot a system with a Linux CD and get a SAM extract, etc...

[Huegel]

Sniff some network traffic, boot a system with a Linux CD and get a SAM extract, etc...

No you cannot get the hash from network traffic. See heise-security.co.uk/articles/75235 for more details.

The passing the hash technique becomes usefull when the administrator of your LAN has the same account on every machine so that he can remotely administer these machines. You are sitting on one of these machines and run pwdump or something like that....

[thorin]

I only skimmed it but I didn't see anything in that article that said you can't get it from network traffic, especially if the AD is maintaining lame NT4 compatability and there are NT4 systems on the network. In fact the picture on the second page shows the l0pht (?) option "Retrieve by sniffing the local network - Sniffing captures encrypted hashes in transit over your network....."

[Huegel]

The relevant stuff for sniffing hashes in your LAN is on page three:
heise-security.co.uk/articles/75235/2

A windows machine never sends the hash itself across the LAN, even with LM hashes. The server sends a challenge to the client and the client encrypts the challenge with parts of the hash.

But it's possible to crack a password using the data being sent across the LAN. This is possible because the challenge is sent unencrypted. The attacker encrypts the challenge with hashes (generated with passwords from a wordlist) and checks if the encrypted challenge matches the one the server accepted. With this attack you get the hash but you don't need it anymore since you do know the password.

[imported_wyze]

but how do u find the password hash?

(im learning)

A book I read a little while back explained it well:

Sniff the traffic on 139 and/or 445. The challenge is 0x72 and the response is 0x73 @ byte 28

tcpdump -nes 0 -w <file> tcp[28]=0x72 or tcp[28]=0x73 or tcp[40]=0x72 or tcp[40]=0x73

[thorin]

http://www.darknet.org.uk/2007/11/pa...-for-download/