Results 1 to 7 of 7

Thread: Sniffing domain passwords?

Hybrid View

  1. #1
    Member
    Join Date
    Jul 2007
    Posts
    104

    Default Sniffing domain passwords?

    Hi, I'm just wondering if there is a way to sniff domain passwords / hashes as they go across the network. Is there a filter for this in ettercap maybe (Or another program)? I tried sniffing with default ettercap settings while I logged onto my domain from another computer and it gave me some weird error. (If it's relevant to post I'll recreate it if needed.) I really don't know where to start so any help or point in the right direction would be great. Thanks.

  2. #2
    Junior Member cyberconsole's Avatar
    Join Date
    Aug 2007
    Posts
    57

    Default

    Well youre not going to just get the passwords in clear text but ettercap is capable of sniffing SMB traffic. It's not really even necessary to arp poison your victim machine to grab his or her hash.
    Learn the difference between LM, NTLM and NTLMv2. Google for smb packet capture. Once you learn how it all works it should be a piece of cake to create a senario in your test environmnet.
    There's no fate but what we make for ourselves.

    -I already know I cant spel-

  3. #3
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    Quote Originally Posted by ESC201 View Post
    Hi, I'm just wondering if there is a way to sniff domain passwords / hashes as they go across the network. Is there a filter for this in ettercap maybe (Or another program)?
    Yes there is a way to do it with Ettercap.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  4. #4
    Member
    Join Date
    Jul 2007
    Posts
    104

    Default

    Ok so I understand the LM and NTLM hashing methods and how to crack them however ettercap doesn't want to cooperate with me here.
    I open it start unified sniffing with any host and it's doesn't show anything. Even with ARP poisoning. The only things it's shown for me are SSL passwords, the error I mentioned in my previous post (which I don't get anymore.) and a random get request from one of my computers. I've been messing with it for almost 4 hours now and nothing. This makes it hard to catch hashes when I can't even catch general TCP traffic. Any ideas?

  5. #5
    Junior Member
    Join Date
    Feb 2007
    Posts
    31

    Default

    On abit of a side note m8 have a hunt round for H.D Moore presentation @ Defcon 15 Hijacking NTLM (using ettercap and metasploit to pass the hash). Iam still learning with my pen lab at home and used the example above to get a reverse shell on a win2003 domain controller ( now iam reading up on how,now,what,why this happens )

    Hope this helps

  6. #6
    Junior Member cyberconsole's Avatar
    Join Date
    Aug 2007
    Posts
    57

    Default

    Quote Originally Posted by Blindbat View Post
    On abit of a side note m8 have a hunt round for H.D Moore presentation @ Defcon 15 Hijacking NTLM (using ettercap and metasploit to pass the hash). Iam still learning with my pen lab at home and used the example above to get a reverse shell on a win2003 domain controller ( now iam reading up on how,now,what,why this happens )

    Hope this helps
    Yea, I think I saw this a while back. It's pretty good.

    ESC201 how are going about forcing your machines to send their hash? naturally you wont be able to intercept that traffic unless they send it. Browsing a shared folder on another machine should do the trick.
    There's no fate but what we make for ourselves.

    -I already know I cant spel-

  7. #7
    Member
    Join Date
    Jul 2007
    Posts
    104

    Default

    I've been messing with ettercap and through trying different things and google I have the 'not capturing any traffic' problem ironed out. However, when I attempt to capture any SMB traffic by simply logging onto my domain from another computer while I have ettercap arp-poisoning my network, I get an error.
    Code:
    SEND L3 ERROR: 28 bye packet (0800:01) destined 192.168.2.5 was not forwarded(libnet_write_raw_ipv4(); -1 bytes written (Operation not permitted)
    (2.5 is my domain controller.) And I have no idea what that means. Help?
    (Yes, I have searched. http://forums.remote-exploit.org/arc....php/t-99.html ...didn't help much.)
    Also, Blindbat, thanks many for the point to that presentation. There are many things I'll have to look into once I get smb sniffing down.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •