From: Kurt Grutzmacher (grutz@jingojango.net)
Date: Sat Nov 17 2007 - 10:59:18 EST
What you have there are the challenge/response hashes. You can crack
them with Cain & Abel but prepare for it to take a while. You can't use
Rainbowtables as the nonce is unique for every exchange.
There are tables for a constant nonce to crack the first half of a
LANMAN hash. Here are some resources that may help you understand what
can be done with hashes.
http://grutztopia.jingojango.net/2007/04/ntlmv1-metasploit-and-you.html
http://grutz.jingojango.net/exploits/pokehashball.html
http://www.metasploit.com/confs/blackhat2007/tactical_paper.pdf
On Fri, Nov 16, 2007 at 05:30:17PM -0600, Danux wrote:
> Hi Experts,
>
> After testing a client network, i got a hash through Ettercap(ARP
> Spoofing) , but when trying to cracking the hash with RainbowCrack it
> seems not to be a NTLM format, and nothing happens.
> Here i show the hash gathered:
>
> SMB : 172.16.16.135:445 ->
> USER: mjones
> HASH:
> mjones:"":"":1EA3083687301F2E00000000000000000000000000000000:2F8EDA1AD20B80974F86656996787855C5CF3417FD44BF03:BD9AE7964A5E989B
> DOMAIN: IMS
>
> Do you know how to crack hashes gathered from Ettercap(ARP Spoofing)?
>
>
> --
> Danux, CISSP
> Chief Information Security Officer
> Macula Security Consulting Group
> www.macula-group.com
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
--
..:[ grutz at jingojango dot net ]:..
GPG fingerprint: 5FD6 A27D 63DB 3319 140F B3FB EC95 2A03 8CB3 ECB4
"There's just no amusing way to say, 'I have a CISSP'."
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:13 EDT