SMB packet capture cracking windows login password

Source: Internet
Author: User

SMB packet capture cracking windows login password
I personally feel that several desktop security vendors in China pay more attention to the traditional AV Technology. I think they should expand their defense depth and open up network intrusion detection. Why? Many attack methods circulating on the Internet, such as the dangers described here, cannot be underestimated. In the face of such threats, some mainstream products I tested have been silenced and have no response. As we all know, mimikatz, WCE, and creddump, windows password cracking tools can easily obtain the hash value and plaintext of windows logon passwords. But there are prerequisites! The premise is that you can upload all these tools and execute them on the target machine and escape AV. In fact, even if you have escaped static AV, it is hard to escape the dynamic anti-DDOS service. Obviously, it is difficult to use these tools to really do things. Are there other methods? Yes. Capture the hash value of the network sharing (SMB protocol) login authentication process, and use RainbowTable to crack and restore the windows Password in plaintext. The tools used in this experiment are Metasploit SMB Sniffer module, icrack_mt, and netntlm. pl. Of course, you 'd better download a Back Track. First, describe what happens when Windows accesses Remote sharing. Windows uses the user/psw of the current login user for authentication, using the SMB protocol. It is also possible to use a NULL password for authentication, that is, to create a NULL session. But it is not important. The authentication process is the same: 1. the Client requests authentication and lists the supported authentication protocols. 2. server selects the authentication protocol and returns a random challenge value. 3. the Client performs hash calculation on psw using the received challenge Value and sends the authentication protocol package. 4. server returns the authentication result: Successful, failed; Use Wireshark to capture packets, the above process is clear at a glance. Next, let's talk about the experiment idea and insert such an element into the webpage. Any machine accessing this page will send an SMB authentication request to At this time, you can receive the hash on How to Get hash? You can use aupoliciary/server/capture/smb in metasploit to simulate an SMB Shared server. After receiving the connection authentication request, the server uses the LMNT authentication protocol and returns a fixed (not random) challenge value of 0x1122334455667788. Wait for the harvest. As you can see, there are two groups of hash values in total. The next goal is to crack the second group of hash values. Before running SMB, Run the set JOHNPWFILE/temp/john command to save the hash value in the file to facilitate subsequent cracking. The next step is how to restore the hash value to a plaintext password. Why should I use a fixed challenge? Because someone has used this value to generate a rainbow table, we can use it directly. You need to download the rainbow table from here. Please try to download all the tables as much as possible. A total of GB is not much. ftp://freerainbowtables.mirror.garr....2/halflmchall/ Then download rcracki: Here, hash is segmented, and the first 7 bytes of password cracking are preferred. The command rcrack-mt.exe-h <first 16 digits of hash> <Rainbow table path> rcracki_mt.exe-h 3cf21b4522e336b0G: \ Rainbow can be cracked in minutes. I tried Intel Core (TM) 2 E8500 CPU cracking contains 9-bit passwords with letters, uppercase and lowercase letters, numbers, and special characters. The maximum time is 10 minutes. Of course, this step only cracks 7 of them, and the case of the letter is not correct. Next, use netntlm. pl to crack the second part of the password. If you use Back Track, this tool is installed by default. Command:./netntlm. pl-seed "A3; 34TE"-file/tmp/john_netntlm is cracked to get the correct password A3; 34teE $. In fact, the password for my experiment is not simple, and it is still so easy to crack. If many domain administrators forcibly execute password policies, the passwords set by many users are simpler and easier to crack. Note: After win7, the NTLM authentication protocol is disabled by default, and the test will not succeed. However, you can enable windows settings-Security Settings-Security Option in the Group Policy.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.