Wireshark: Determining a SMB and NTLM version in a Windows environment « Knowledge for all (and free) ! The last few days I am playing around with wireshark and I must say I enjoy working with this program. It has saved the day for me a couple of times by giving me information that is only retrieved by looking at packet level. In this article I was looking at SMB and NTLM traffic in a windows environment. I noticed that our XP based network was running NTLMv1 that is considered unsecure. Intro NTLM over a Server Message Block (SMB) transport is one of the most common uses of NTLM authentication and encryption. The NT LAN Manager (NTLM) Authentication Protocol is used in Microsoft Windows Networks for authentication between clients and servers. Step 1 and 2 – The SMB protocol negotiates protocol-specific options using the SMB_COM_NEGOTIATE request and response messages. Step 3 – The client sends an SMB_COM_SESSION_SETUP_ANDX request message. Step 4 – The server responds with an SMB_COM_SESSION_SETUP_ANDX response message within which an NTLM CHALLENGE_MESSAGE is embedded. Wiresharking
yougetsignal Find other sites hosted on a web server by entering a domain or IP address above. Note: For those of you interested, as of May 2014, my database has grown to over 100 million domain names. I am now offering this domain list for purchase. A reverse IP domain check takes a domain name or IP address pointing to a web server and searches for other sites known to be hosted on that same web server. Background All web sites are hosted on web servers, which are computers running specialized software that distribute web content as requested. As of 2003, more than 87% of all active domains names were found to share their IP addresses (i.e. their web servers) with one or more additional domains. While IP sharing is typically transparent to ordinary users, it may cause complications for both search engine optimization and web site filtering. Concerning SEO (search engine optimization) Conversely, search engines value links from web sites hosted on different IP addresses. Concerning web site filtering
Defence in Depth: Attacking LM/NTLMv1 Challenge/Response Authentication In Part 1 of the “LM/NTLMv1 Challenge/Response Authentication” series I discussed how both the LANMAN/NTLMv1 protocols operate and the weaknesses that plague these protocols. In this post I will demonstrate how attackers leverage these weaknesses to exploit the LANMAN/NTLMv1 protocols in order to compromise user credentials. For the remainder of this article I will be focusing on attacking the SMB protocol (Windows file sharing) as this is where LANMAN/NTLMv1 is most commonly used. Capturing the Response In order to capture a client’s LANMAN/NTLMv1 response, attackers will often utilise one of two methods: Force the client host to connect to them Conduct a man-in-the-middle (MITM) attack and “sniff” the client’s response To demonstrate these methods, I will be using the Metasploit Framework or Cain and Abel respectively. Metasploit In order for a client host to connect to us, we first need to create a listening SMB service that will accept incoming connections. 1. 2. 3. 4. msf > run 1. 2. 3.
NSLOOKUP Query a DNS domain nameserver to lookup and find IP address information of computers in the internet. Convert a host or domain name into an IP address. This is the right place for you to check how your web hosting company or domain name registrar has set up the DNS stuff for your domain, how your dynamic DNS is going, or to search IP addresses or research any kind of e-mail abuse (UBE/UCE spam) or other internet abuse. If you prefer dig over nslookup, you may try our dig service. This page is also available in German, French and Portuguese. Link to www.kloth.net. A new discussion forum has been set up. Recommended books about Networking.
John The Ripper Hash Formats John the Ripper is a favourite password cracking tool of many pentesters. There is plenty of documentation about its command line options. I’ve encountered the following problems using John the Ripper. These are not problems with the tool itself, but inherent problems with pentesting and password cracking in general. Sometimes I stumble across hashes on a pentest, but don’t recognise the format, don’t know if it’s supported by john, or whether there are multiple “–format” options I should try.The hashes you collect on a pentest sometimes need munging into a different format… but what’s the format john is expecting? These problems can all be sorted with a bit of googling or grepping through the john source code. In the first release of this page I’ve: I haven’t yet done the following: Added reminders on how hashes can be collected.Added information on how to munge the hashes into a format supported by john. This sheet was originally based on john-1.7.8-jumbo-5. afs – Kerberos AFS DES pdf – pdf
SocialWhois Hacking Embedded Devices: UART Consoles - MWR Labs The ‘Hardware Hacking’ scene has exploded recently, thanks largely to the widespread adoption of devices such as the Arduino and Raspberry PI by the hacking community. Applying hardware hacking techniques during product assessments can often give unrivaled levels of access to hidden or undocumented functionality particularly when reviewing embedded devices such as routers, switches and access points. Prior to his employment with MWR, Hacker Fantastic, a Senior Security Consultant with MWR, reviewed the “SAGEM F@ST2504 Sky Broadband router”, at the time a popular consumer broadband device, and documented his findings in a blog post and presentation titled Hacking Embedded Devices: For Fun and Profit. Matthew has since followed up on his prior work by reviewing the “Virgin Media SuperHub” a Cable Modem/Router used by Virgin Media Cable in the UK and re-visited his assessment of the “SAGEM F@ST2504 Sky Broadband router”. UART Hacking Sky Broadband Router Virgin Media SuperHub
Flu Project: Anubis Anubis es una aplicación desarrollada por Juan Antonio Calles en colaboración con Pablo González, del Flu Project Team, diseñada para anexionar gran parte de las herramientas necesarias para los procesos de las Auditorías de Seguridad y Test de Intrusión dedicados a la búsqueda de información, denominados Footprinting y Fingerprinting, en una única herramienta. Con ésta herramienta el auditor no solo conseguirá ahorrar tiempo durante la auditoría, sino que descubrirá nueva información que de manera manual no podría gracias a las automatizaciones que lleva Anubis incorporadas. Entre otras funcionalidades, Anubis permite buscar dominios mediante técnicas basadas en Google Hacking, Bing Hacking, ataques de fuerza bruta contra el DNS, transferencias de zona, etc. Permite identificar el sistema operativo de las máquinas que hay tras los dominios mediante análisis del banner, búsqueda de errores y la integración de la herramienta nmap. Descarga Anubis v1.3 desde AQUÍ.
Intelligence Gathering - The Penetration Testing Execution Standard This section defines the Intelligence Gathering activities of a penetration test. The purpose of this document is to provide a standard designed specifically for the pentester performing reconnaissance against a target (typically corporate, military, or related). The document details the thought process and goals of pentesting reconnaissance, and when used properly, helps the reader to produce a highly strategic plan for attacking a target. Background Concepts Levels are an important concept for this document and for PTES as a whole. It’s a maturity model of sorts for pentesting. The Intelligence Gathering levels are currently split into three categories, and a typical example is given for each one. Level 1 Information Gathering (think: Compliance Driven) Mainly a click-button information gathering process. Acme Corporation is required to be compliant with PCI / FISMA / HIPAA. Level 2 Information Gathering Level 3 Information Gathering What it is Why do it What is it not Corporate Physical