Passwords when mounting SMB shares
Peter Simons
simons at cryp.to
Wed Mar 6 03:18:06 GMT 2002
Dear Samba Gods,
the company I work for is trying to increase the internal network
security and for this purpose I'd like to demonstrate how badly chosen
passwords can compromise virtually anything.
I want to set up a small process that will capture any smbmount
packets going through the network, dump the user name and the
encrypted password to a file and run the result through a dictionary
attacking tool like "John the Ripper" or "Crack". Unfortunately, I
can't seem to recover the passwords from the SMB packets. When I dump
the passwords with pwdump2 on a Windows 2000 host, the encrypted form
looks like this:
Gast:501:aad3b435b51404eeaad3b436b51404ee:31d6cfe0d16ae931b73c59d7eec089c0:::
But the "passwords" in the SMB packets are 32 Byte long -- even though
the password length field of the packet claims they'd be 24 Byte. So
my gues is that they strings are stored in some kind of encoding that
I'd have to strip off to retrieve something I can attack. Is anyone
able (and willing) to help me out on that and explain to me what I am
missing? I'd really prefer not to have to try and understand a
Microsoft protocol from the implementation sources. ;-)
I'll appreciate _any_ feedback!
-peter
More information about the samba-technical
mailing list