Hi,
I've red something about NTLM encryption of passwords, and a little about rainbow tables and there's something I don't understand (however it might be a dumb question since I'm new to this subject...):
/******EXTRACT*******/
1. The MD4 message-digest algorithm (described in RFC 1320) is applied to the Unicode mixed-case password. This results in a 16-byte value - the NTLM hash.
2. The 16-byte NTLM hash is null-padded to 21 bytes.
3. This value is split into three 7-byte thirds.
4. These values are used to create three DES keys (one from each 7-byte third).
5. Each of these keys is used to DES-encrypt the challenge from the Type 2 message (resulting in three 8-byte ciphertext values).
6. These three ciphertext values are concatenated to form a 24-byte value. This is the NTLM response.
/******END******/
If I get it correct, the only things that can be sniffed are:
1)The challenge code
2)the NTLM response
I also think to know that a rainbow table has the following form:
NTLM_RESPONSE=f(PASSWORD)
Now my question:
How can the tables be of the form NTLM_RESPONSE=f(PASSWORD) when actually
NTLM_RESPONSE=f(PASSWORD, CHALLENGE_CODE) ????

I hope someone can explain it to me....
Thanks in advance...

basically NTLM works in 2 formats
1. standard password hash which isnt sent over the network and is always the same for a certain plaintext so precomputation is possible
*this is what pwdump2 would output

2. client/server response hashes used for network authentication and subject to change (as server decides on its challenges and encrypts key, etc). therefore using rainbowtables is out of the question
*this is what your packet sniffer would pick up

So, is it correct that the only way to crack NTLM passwords send over the network (network authentication) is to brute force them??

Thanks for your replie.

You can brute force them using a rainbow table. If you have access to the machine there are a number of ways to turn off ntlm. If you can gain acccess to the system file wich is in the same folder as the SAM file then you can break the NTLM.

There is also a program called SMBproxy which will get you the unmolsted LM hash.

MITM attacks using somthing like SMBproxy is a very rich attack. There are so many differnt ways to direct traffic to your SMBproxy. DNS, ARP and the human mind are all very vulerable to attack.

Peace out

For those that cant be arsed to search: http://www.cqure.net/tools.jsp?id=2

As far as I understand you have to get the hash from the sam then dont bother cracking it, then run the proxy and try and connect to a netowrk share using the hash you have? Yeah?

Oh and agent orange its "d"

01110111011010000110000101110100001000000110000101100010011011110111010101110100
00100000011101000110100001101001011100110010000001101111011011100110010100111111
:


01011001011011110111010100100000011000010111001001100101001000000111011001100101
01110010011110010010000001110110011001010111001001111001001000000111001101100001
0110010000101110

yes that is correct, if you are purely sniffing hashes then you are restricted to brute forcing the challenge and ntlm response

BTW some tools for sniffing hashes on win2k/xp would be:

cain & abel (LAN or wifi? only)
ettercap (nice options for capturing hashes)
ethereal (you have to use filters, i wrote a thread about this a while ago)
smbrelay2 (can set up fake hosts)
scooplm (works but have noticed its missed hashes sometimes)

google will get their sites

OK. Thanks a lot.

Rainbow tables uses the precompiled hashes of of these values, its kinda like if you took a dictionary and compiled all entries into there own hash values, so basically it takes a guess at the password and then comparing the generated hash to the one stored to see if they match.