Thanks.
You are certainly right about the anti-sniff environments out-of-choice
usage of
the share-sending-password-grabbing method. But in cleaner environments
you must
agree with me that simply sniffing everything is much useful and smooth.
"Simply". I still didn't make it. on Linux I dniffed everything
smoothly but had no tool
to "unlock" the NT hashes SMB packets.
On NT the tools I used just didn't make it. both snarp and wci.
l0phtcrack silently ignored
them. wierd.

~Ben.

pen test wrote:

> ridiculous? well its just another way of doing something. One reason
> to do that may be if something like anti-sniff is running to detect
> nics in promicous mode (in other words catch people sniffing) thus you
> share method and the information is sent to you. Now there are
> sniffers that will not bedetected by anti-sniff but then there are
> other anti-sniff like products that will detect those. I do not
> recommend that but if you read back in my email you will see that I
> noted it came from the docs on l0pht crack, so that opion should be
> sent to l0pht or atstake as they are known now.
>
> as far as a arp tool that works with l0phtcrack, try snarp and then
> starting the sniffing of l0phtcrack. Now as with most arp tools this
> will only allow you to grab info between machines, trick the arp
> tables into believing the that your system is actaully another. If
> you want to sniff everything try filling the arp tables of the switch
> thus making it dump to everywhere. I cant recall the code that will
> allow you to do that under linux off hand.
>
>> From: "Ben Cohen, Ohad" <absinthnetvision.net.il>
>> To: Focus on Microsoft Mailing List
>> <FOCUS-MSSECURITYFOCUS.COM>, pen test <pentestlistHOTMAIL.COM>
>> Subject: Re: l0phtcrack on a switched network, still...
>> Date: Sat, 24 Mar 2001 23:08:00 +0200
>>
>> Well, the theory is well known.
>> The problem is somehow I couldn't get it to work...
>> Using a Linux box I could easy sniff the switched network using a simple
>> arp spoof tool.
>> But then I couldn't crack the SMB packets 'cause l0pht is windows only.
>> On NT the arp spoofing tool I have found just didn't cooperate with
>> l0pht.
>> can you think of a tool that really works with l0pht ?
>> Oh and about the share-sending method ? I thinks it's ridiculous.
>> come on.
>> using such a social engineering is incompetence from my point of view.
>> why using it, when data is running there on the cables, waiting for you
>> to get it ?
>>
>> Ben.
>>
>>
>> pen test wrote:
>>
>>> There seems to be alot of talk still about l0phtcrack and switched
>>> networks.
>>> Lets start at the begining.
>>> 1. in a switched envroment packets do not hit all ports thus you can
>>> not
>>> sniff. And before you jump my case on this point I mean by basic means.
>>> (stay with me we will get to what you are thinking)
>>>
>>> SO in the simplest terms you can not sniff with l0pht crack to start
>>> off
>>> with. If you read the l0pht docs however they point out that if you
>>> just
>>> want certain passwords then best bet is to open a share on your
>>> computer,
>>> give them access, and send a link to them such as
>>> \\wkstationname\share .
>>> When they access this their password will be sent and l0phtcrack
>>> running on
>>> your system will snag it. This works I have tried it.
>>>
>>> 2. Now as we know you can sniff on a switched network by arp
>>> poisioning. A
>>> few ways to do this. first we can fill the switches tables until it
>>> starts
>>> to dump packets to every port and then we see it all. secondly we can
>>> do a
>>> man in the middle attack by spoofing arp packets and making the switch
>>> believe a server or workstations resides 2 places on the network,
>>> which is
>>> phyiscally possible with 2 nics so this is accepted by the switch. We
>>> trick
>>> the switch into thinking we are the destination and we gather
>>> passwords.
>>> (spoof the fileserver, hey why not the PDC - watch for other problems
>>> though)
>>>
>>> Oh someone mentioned a vlan also. Vlan is exactly what is says
>>> Virtual lan
>>> thus it still has a physical port on the switch either method above
>>> will
>>> work.
>>>
>>> There are several tools you can use for this I believe most have been
>>> posted
>>> here and these methods have been posted also. I figured I would recap
>>> this
>>> topic since for somereason this thead continues on. I know there are
>>> more
>>> methods but have fun with these.
>>>
>>>
>>>> From: Jack Lyons <jack.lyonsMARTINAGENCY.COM>
>>>> Reply-To: Focus on Microsoft Mailing List <FOCUS-MSSECURITYFOCUS.COM>
>>>> To: FOCUS-MSSECURITYFOCUS.COM
>>>> Subject: Re: [FOCUS-MS] l0phtcrack on a switched network, still...
>>>> Date: Thu, 22 Mar 2001 06:24:20 -0500
>>>>
>>>> RE: l0phtcrack on a switched network, still...Depending on the
>>>> switches..you could span a port (mirror another port) that the NT
>>>> server is
>>>> connected to.
>>>>
>>>> Jack
>>>> ----- Original Message -----
>>>> From: Sean Ballard
>>>> To: FOCUS-MSSECURITYFOCUS.COM
>>>> Sent: Wednesday, March 21, 2001 12:52 PM
>>>> Subject: Re: l0phtcrack on a switched network, still...
>>>>
>>>>
>>>> What about getting data off a switched network segmented into
>>>> multiple
>>>> vlans? I have no success with 2.5.2 and the only hash I can pull from
>>>> the
>>>> packetsniffer module is my own.
>>>>
>>>>
>>>> ./Sean
>>>> -----Original Message-----
>>>> From: Carino Gustavo Javier [mailto:GCARINOPECOM.COM.AR]
>>>> Sent: Tuesday, March 20, 2001 1:39 PM
>>>> To: FOCUS-MSSECURITYFOCUS.COM
>>>> Subject: Re: l0phtcrack on a switched network, still...
>>>>
>>>>
>>>> I haven't any problems with The version, l0phtcrack 2.52, in my
>>>> switched NT4.0 networks
>>>> Is this your version?
>>>>
>>>> ----------
>>>> De: Ben Cohen, Ohad[SMTP:absinthNETVISION.NET.IL]
>>>> Responder a: Focus on Microsoft Mailing List
>>>> Enviado el: Monday, March 19, 2001 7:11 PM
>>>> Para: FOCUS-MSSECURITYFOCUS.COM
>>>> Asunto: l0phtcrack on a switched network, still...
>>>>
>>>> Hi...
>>>>
>>>> I still can't get l0phtcrack SMB capture function to work on my
>>>> switched
>>>> network.
>>>> I got the NDIS protocol up 'n' running and used WCI to arpspoof
>>>> the
>>>> network.
>>>> while the WCI enumerated the network, l0pht captured tones of
>>>> SMB
>>>> packets,
>>>> all from my host and my username on, with different
>>>> destination IP
>>>> addresses.
>>>> During the actual WCI work, l0pht remained SMB bare-handed.
>>>> nothing
>>>> was
>>>> captured.
>>>> Btw, l0pht's manuals explicitly says that the NDIS network layer
>>>> protocol and some other
>>>> too should be removed in order for l0pht to properly work.
>>>>
>>>> HAS anyone succeeded in sniffing and decrypting switched NT4.0
>>>> networks
>>>> login packets ?
>>>>
>>>> thanks,
>>>> Ben.
>>>>
>>>
>>> _________________________________________________________________
>>> Get your FREE download of MSN Explorer at http://explorer.msn.com
>>>
>>>
>>>
>>
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com
>
>
>
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]