|Informative Information for the Uninformed
Next: Table creation Up: Breaking NTLM with precomputed Previous: Breaking NTLM with precomputed Contents
Precomputing tables for NTLM has just been declared pretty much impossible with todays computing resources. The problem is pre-computing every possible hash value (and then, of course storing those values even if computation was possible). By applying a trick to remove the challenge from the equation however, precomputing NTLM hashes becomes almost as easy as the creation of LM tables. By writing a rogue CIFS server that hands out the same static challenge to every client that tries to connect to it, the problem has static values all over the place once again, and hashtable precomputation becomes possible.
The following screenshot depicts a proof of concept implementation that accepts an incoming CIFS connection, goes through the protocol negotiation phase with the connecting client, sends out the static challenge, and disconnects the client after receiving username and NTLM hash from it. The server also logs some more information that the client conveniently sends along.
IceDragon wincatch # bin/wincatch
Src Name: BARRIERICE
That's a Windows XP machine connecting to the rogue server running on Linux. The client is connecting from IP address 192.168.7.13. The username is ``Testuser'', the name of the host is ``BarrierIce'', and the password hash got captured too of course.