Friday, November 02, 2007

Numb

I'm still here! hang on! soon I'll be releasing a new version of wifizoo, a new version of the pass-the-hash toolkit and also new stuff/scripts and probably a new version of the universal hooker too!

Soon!

4 comments:

Bertman said...

Can't wait for pass-the-hash toolkit Version 1.2. It is an excelent tool. Is there a way to make it work with the Cain's MITM SMB capture?

Example from SMB.LST:

15/08/2007 - 19:25:44;192.168.66.86;192.168.66.51;Gereth Stillman;GERETH-STILLMAN;;NTLM Session Security (NTLMSSP);75031D2C83C6263C0000000000000000;34EE0EDE5ECD968296E73C8C582C721C;97D528785DF2976D;0000000000000000;237E7F0D5D8C422F;204995A81A868D12F76AE187A65DE54C;Guest;

Thanks

bertman said...

Can you add an option to IAM.EXE to also change the WHOAMI to the username and domain passed to it. This way in the event viewer it doesn't show an event 552 that someone elses credentials were used that were different from the logged on user?

Thanks,

Bert

Hacking your neighbor's computer: Priceless.

hernan said...

I think the MITM feature you mention is recording the nonce and encrypted nonce (nonce encrypted with the hash of the user's password) from the authentication phase of an SMB session. IAM works by changing the current user's hashes, so you first need to run the nonce+encrypted_nonce thru l0phtcrack or similar tool to obtain the hash, and then you can use IAM.

I think i've never used cain's MITM feature, if I'm misunderstanding what it does, please let me know.

hernan said...

Regarding the alert recorded and displayed on the event viewer, I didn't know about that :). Is that a security event? is that recorded by default? mm, interesting, I'll look into that.