Can't wait for pass-the-hash toolkit Version 1.2. It is an excelent tool. Is there a way to make it work with the Cain's MITM SMB capture?Example from SMB.LST:15/08/2007 - 19:25:44;192.168.66.86;192.168.66.51;Gereth Stillman;GERETH-STILLMAN;;NTLM Session Security (NTLMSSP);75031D2C83C6263C0000000000000000;34EE0EDE5ECD968296E73C8C582C721C;97D528785DF2976D;0000000000000000;237E7F0D5D8C422F;204995A81A868D12F76AE187A65DE54C;Guest;Thanks
Can you add an option to IAM.EXE to also change the WHOAMI to the username and domain passed to it. This way in the event viewer it doesn't show an event 552 that someone elses credentials were used that were different from the logged on user?Thanks,BertHacking your neighbor's computer: Priceless.
I think the MITM feature you mention is recording the nonce and encrypted nonce (nonce encrypted with the hash of the user's password) from the authentication phase of an SMB session. IAM works by changing the current user's hashes, so you first need to run the nonce+encrypted_nonce thru l0phtcrack or similar tool to obtain the hash, and then you can use IAM. I think i've never used cain's MITM feature, if I'm misunderstanding what it does, please let me know.
Regarding the alert recorded and displayed on the event viewer, I didn't know about that :). Is that a security event? is that recorded by default? mm, interesting, I'll look into that.
Post a Comment