Cracking challenge and response lm/ntlm hashes

The Challenge and response hashes that i'll be cracking occur over protocols such as SMB/CIFS on Windows systems. When a user tries to access a remote share, he must first try to authenticate with that remote system. The client says "hello, i would like to communicate with you"; the server responds with a challenge which composes of random data; the client then takes this challenge and uses it to encode its user's lm/ntlm hash then sends the results back to the server; The server then uses the same random challenge and the response sent back by the client to derive the lm/ntlm hash of the user then compares this to its SAM database to see if this user is a valid user on the server.

The server portion of such a system can be modified to respond with a static challenge instead of issuing a random challenge for every client request. By doing so, cracking via rainbow tables becomes favorable and wordlist/bruteforce attacks become viable as well. Because of the use of random challenges per client request to the server, cracking became very difficult as the challenge had to be known and then be incorperated into the cracking program. Having a static challenge thus solves this difficulty.

More information can be found on google and here

Metasploit can be used to capture these hashes and John the ripper can be used to crack them

[metasploit]

# msfconsole

msf> use auxilliary/server/capture/smb

msf auxilliary(smb)> run

[John]

# ./john --format=netlm --wordlist=passwords.lst halmlmhashes.txt

The challenge and response hashes must be saved in the following format to be suitable for cracking using john:

user:::LM_HASH:NT_HASH:STATIC_CHALLENGE
Example:
admin:::A37C5C9316D9175589FDC21F260993DAF3644F1AAE2A3DFE:A37C5C9316D9175589FDC21F260993DAF3644F1AAE2A3DFE:1122334455667788

Reesources/Good Reading:

http://www.foofus.net/?page_id=63