Greetings to all:
I am having a tough time trying to import win2k/winXP sniffed challenge/response logins into various cracking programs. My lab scenario is a windows 2000 advanced server SP3 and a windows XP pro workstation. I am successfully logging onto a server share ( not domain login ) from the XP client and capturing the challenge/response. Because it is a 2K/XP non-domain login ( no kerberos right ? ), I am assuming that I am dealing with ntlmv2 challenge response hashes. I looked over the power point presented at black hat by urity on cracking ntlmv2 and decided to try the two tools mentioned in the paper.
I used scoopLM running on the server to grab the challenge/response ok and imported it into beatLM in order to try and brute force it. BeatLM documentation says it can brute ntlmv1 and v2. The problem is that when I go to run either the dic attack or the brute force attack, It never starts... it just says 'search complete'. Further, in the "length" field column of the cracker it says "ntlmv1" ?? I then assumed that maybe I was wrong about the hash versions and it was ntlmv1or there was some other problem with the program so I switched to ettercap for windows and sniffed the challenge response ok and imported it into LC4 under the LC2.5 format (the way ettercap saves ntlm hashes) . Well now it does the same thing, and there is no data shown in the challenge field ??, just all zero's in the ntlm hash and lm hash fields ( I think this is normal b/c it is a challenge response sniff). My next attempt was just to use the built in smb capture of LC4. I started the packet capture and successfully logged into the server share, but nothing was recorded in the capture ! (I tried this over many times). Can someone please tell me where I am going wrong. I have spent over 25 hours on just trying to get started. I am especially disappointed that I cannot use beatLM, the paper on ntlmv2 and the program looked so promising.....If someone knows how to properly use those two utilities please let me know.....
I have included below the exact test data as I imported it if you wish to look at it:
the login is admintest
the password is hill99
ScoopLM capture, saved as a .csv file:
Server,Client,Account,Result,Challenge,"LM response","NTLM response"
192.168.1.250,192.168.1.101,admintest\KDENISEVIGEE,OK,778f3ecf8bc1ba45,06062b0601050502a0483046a00e300c060a2b0601040182,3702020aa23404324e544c4d535350000100000097b208e0
ettercap capture, saved as a .lc file (lopht 2.5 format) : USER:3:778f3ecf8bc1ba45:06062b0601050502a0483046a00e300c060a2b0601040182:3702020aa23404324e544c4d535350000100000097b208e0
Thanks,
Patrick S. MacDanel II
P&N Technologies
This archive was generated by hypermail 2b30 : Mon Oct 14 2002 - 08:38:56 PDT