I Smell Packets


Answer to Fred’s Secret Packet Challenge – Part 2
June 4, 2009, 1:15 am
Filed under: Cain, Packet Challenge, tshark, Wireshark

We left off the answer to our challenge last time with a pcap file containing 4 packets. Still not knowing what Fred’s secret was, let’s continue.

Opening the file with Wireshark shows the following:

tshark -nr 5.pcap
  1   0.000000 192.168.94.129 -> 192.168.94.128 SMB Session Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED
  2  19.000000 192.168.94.128 -> 192.168.94.129 SMB Session Setup AndX Request, NTLMSSP_AUTH, User: wilma\fred
  3  39.000000 192.168.94.129 -> 192.168.94.128 SMB Session Setup AndX Response
  4 296.000000 192.168.94.128 -> 192.168.94.129 SMB [TCP Retransmission] Session Setup AndX Request, NTLMSSP_NEGOTIATE

The reason tshark is used here is that it has the ability to decode Server Message Block (SMB) traffic. Tshark is basiclly a command-line version of Wireshark. Anyways, right away we see that there is a challenge, authentication, and a response. This is Fred logging into a Windows system.

Tshark can display much more information about these packets by using the -V switch. Here is just a snippet of the output:
tshark -Vnr 5.pcap

                        .... .... .... .... .0.. .... .... .... = Negotiate This is Local Call: Not set
                        .... .... .... .... ..0. .... .... .... = Negotiate Workstation Supplied: Not set
                        .... .... .... .... ...0 .... .... .... = Negotiate Domain Supplied: Not set
                        .... .... .... .... .... 0... .... .... = Negotiate Anonymous: Not set
                        .... .... .... .... .... .0.. .... .... = Negotiate 0x00000400: Not set
                        .... .... .... .... .... ..1. .... .... = Negotiate NTLM key: Set
                        .... .... .... .... .... ...0 .... .... = Negotiate Netware: Not set
                        .... .... .... .... .... .... 0... .... = Negotiate Lan Manager Key: Not set
                        .... .... .... .... .... .... .0.. .... = Negotiate Datagram Style: Not set
                        .... .... .... .... .... .... ..0. .... = Negotiate Seal: Not set
                        .... .... .... .... .... .... ...0 .... = Negotiate Sign: Not set
                        .... .... .... .... .... .... .... 0... = Request 0x00000008: Not set
                        .... .... .... .... .... .... .... .1.. = Request Target: Set
                        .... .... .... .... .... .... .... ..0. = Negotiate OEM: Not set
                        .... .... .... .... .... .... .... ...1 = Negotiate UNICODE: Set
                    NTLM Challenge: 89234201B1621ED1
                    Reserved: 0000000000000000
                    Address List
                        Length: 60
                        Maxlen: 60
                        Offset: 66
                        Domain NetBIOS Name: WILMA
                            Target item type: NetBIOS domain name (0x0002)
                            Target item Length: 10
                            Target item Content: WILMA
                        Server NetBIOS Name: WILMA

The portion of the packet highlighted above contains the NTLM Challenge. There are also some hashes in the other packets. This is all the information needed to find out Fred’s secret password.

The easiest way to go about this is to use Cain. Cain is a Windows based password cracking tool available for free. To crack Fred’s password with Cain follow these steps:

1. Open the 5.pcap file with Cain. A SMB password will appear under the Passwords on the Sniffer tab.

2. Right click the password and Send to Cracker.

Cain1a.jpg

3. Click the Cracker tab.

4. Select the user and scroll all the way over to the right and notice the Type of password. This is a NTLM Session Security password.

5. Right click the User name and select either a Brute-Force or a Dictionary Attack. Both will work.

Cain2a.jpg

6. As we just saw, the type of password we are trying to crack is a NTLM Session Security password. Select NTLM Session Security.

If you choose to do a Dictionary attack, use Cain’s default wordlist. The wordlist is located in C:\Program Files\Cain\Wordlists.

7. Click the Start button.

After a short time, no more than a minute or two, the password will be cracked. In this case the plaintext of user wilma\fred is betty. I always thought Fred might have a thing for Betty, she’s much hotter.

Congratulations goes to Davy Douhine (@ddouhine on twitter) for being the first to solve this challenge. Davy used scapy, Cain, and brute-force to figure out Fred’s Secret. He also sent me a fun little challenge to figure out. We’ll share that with you next week.

Thanks everyone for playing.

Here are links to some information referenced in this challenge:
Tshark
NTLM – Wikipedia
Security Watch: The Most Misunderstood Windows Security of All Time
Windows Passwords: Everything You Need To Know
Cain & Able

Leave a Comment

Leave a Comment so far
Leave a comment

RSS feed for comments on this post. TrackBack URI


Leave a comment