Yes you can! See Mike Howard's book "Designing Secure Web-based
Applications" for a description of how authentication is done.
Or just look at http://www.innovation.ch/java/ntlm.html for a detailed
packet analysis of the protocol.

Although the type of authentication that's used depends on the server and
client configuration, you are probably right
that it's using NTLM LanMan hash over the "Negotiate" protocol.

I have code to do this, contact me offline if you need it.

Dave
----- Original Message -----
From: "Batten, Gerald" <GBattenEXOCOM.COM>
To: <PEN-TESTSECURITYFOCUS.COM>
Sent: Thursday, January 11, 2001 9:55 AM
Subject: [PEN-TEST] Sniffing web-based NT logins

> I was wondering if there was a tool, or if someone knew how to pick it off
> of a regular sniffer, to pick up the NT has of an NT login over the web.
> Let me explain...
>
> The server is IIS 5.0, the web clients are IE 5.x, and the server is
> configured to take NT authentication to the protected web pages
exclusively.
> This means that Netscape won't work, and that the passwords are not sent
as
> the standard Base64 encoding.
>
> So, how are the passwords transferred, and how would I use a sniffer to
pick
> it up? I'm assuming that they would be Lanman hashes and that I could
pull
> them off the wire somehow and use LophtCrack to guess the passwords?
>
> Gerald.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]