Greetings to all:
I am having a tough time trying to import win2k/winXP sniffed challenge/response
logins into various cracking programs. My lab scenario is a windows 2000 advanced
server SP3 and a windows XP pro workstation. I am successfully logging onto a server
share ( not domain login ) from the XP client and capturing the challenge/response.
Because it is a 2K/XP non-domain login ( no kerberos right ? ), I am assuming that I
am dealing with ntlmv2 challenge response hashes. I looked over the power point
presented at black hat by urity on cracking ntlmv2 and decided to try the two tools
mentioned in the paper.
I used scoopLM running on the server to grab the challenge/response ok and imported it
into beatLM in order to try and brute force it. BeatLM documentation says it can brute
ntlmv1 and v2. The problem is that when I go to run either the dic attack or the brute
force attack, It never starts... it just says 'search complete'. Further, in the
"length" field column of the cracker it says "ntlmv1" ?? I then assumed that maybe I
was wrong about the hash versions and it was ntlmv1or there was some other problem
with the program so I switched to ettercap for windows and sniffed the challenge
response ok and imported it into LC4 under the LC2.5 format (the way ettercap saves
ntlm hashes) . Well now it does the same thing, and there is no data shown in the
challenge field ??, just all zero's in the ntlm hash and lm hash fields ( I think this
is normal b/c it is a challenge response sniff). My next attempt was just to use the
built in smb capture of LC4. I started the packet capture and successfully logged into
the server share, but nothing was recorded in the capture ! (I tried this over many
times). Can someone please tell me where I am going wrong. I have spent over 25 hours
on just trying to get started. I am especially disappointed that I cannot use beatLM,
the paper on ntlmv2 and the program looked so promising.....If someone knows how to
properly use those two utilities please let me know.....
I have included below the exact test data as I imported it if you wish to look at it:
the login is admintest
the password is hill99
ScoopLM capture, saved as a .csv file:
Server,Client,Account,Result,Challenge,"LM response","NTLM response"
192.168.1.250,192.168.1.101,admintest\KDENISEVIGEE,OK,778f3ecf8bc1ba45,06062b0601050502a0483046a00e300c060a2b0601040182,3702020aa23404324e544c4d535350000100000097b208e0
ettercap capture, saved as a .lc file (lopht 2.5 format) :
USER:3:778f3ecf8bc1ba45:06062b0601050502a0483046a00e300c060a2b0601040182:3702020aa23404324e544c4d535350000100000097b208e0
Thanks,
Patrick S. MacDanel II
P&N Technologies
