Sniffing domain passwords?
Hi, I'm just wondering if there is a way to sniff domain passwords / hashes as they go across the network. Is there a filter for this in ettercap maybe (Or another program)? I tried sniffing with default ettercap settings while I logged onto my domain from another computer and it gave me some weird error. (If it's relevant to post I'll recreate it if needed.) I really don't know where to start so any help or point in the right direction would be great. Thanks.
Well youre not going to just get the passwords in clear text but ettercap is capable of sniffing SMB traffic. It's not really even necessary to arp poison your victim machine to grab his or her hash.
Learn the difference between LM, NTLM and NTLMv2. Google for smb packet capture. Once you learn how it all works it should be a piece of cake to create a senario in your test environmnet.
There's no fate but what we make for ourselves.
-I already know I cant spel-
Yes there is a way to do it with Ettercap.Originally Posted by ESC201
I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.
I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.
Ok so I understand the LM and NTLM hashing methods and how to crack them however ettercap doesn't want to cooperate with me here.
I open it start unified sniffing with any host and it's doesn't show anything. Even with ARP poisoning. The only things it's shown for me are SSL passwords, the error I mentioned in my previous post (which I don't get anymore.) and a random get request from one of my computers. I've been messing with it for almost 4 hours now and nothing. This makes it hard to catch hashes when I can't even catch general TCP traffic. Any ideas?
On abit of a side note m8 have a hunt round for H.D Moore presentation @ Defcon 15 Hijacking NTLM (using ettercap and metasploit to pass the hash). Iam still learning with my pen lab at home and used the example above to get a reverse shell on a win2003 domain controller ( now iam reading up on how,now,what,why this happens)
Hope this helps
Yea, I think I saw this a while back. It's pretty good.On abit of a side note m8 have a hunt round for H.D Moore presentation @ Defcon 15 Hijacking NTLM (using ettercap and metasploit to pass the hash). Iam still learning with my pen lab at home and used the example above to get a reverse shell on a win2003 domain controller ( now iam reading up on how,now,what,why this happens
Hope this helps
ESC201 how are going about forcing your machines to send their hash? naturally you wont be able to intercept that traffic unless they send it. Browsing a shared folder on another machine should do the trick.
There's no fate but what we make for ourselves.
-I already know I cant spel-
I've been messing with ettercap and through trying different things and google I have the 'not capturing any traffic' problem ironed out. However, when I attempt to capture any SMB traffic by simply logging onto my domain from another computer while I have ettercap arp-poisoning my network, I get an error.
(2.5 is my domain controller.) And I have no idea what that means. Help?Code:SEND L3 ERROR: 28 bye packet (0800:01) destined 192.168.2.5 was not forwarded(libnet_write_raw_ipv4(); -1 bytes written (Operation not permitted)
(Yes, I have searched. http://forums.remote-exploit.org/arc....php/t-99.html ...didn't help much.)
Also, Blindbat, thanks many for the point to that presentation. There are many things I'll have to look into once I get smb sniffing down.
Posting Permissions
