Stated:
How is this article only technically analyzes comes to kidnap winnt/2k hash through sniffer, regarding the article possibly creates the harm does not lose any responsibility.

Introduction:
Recently the SMB conversation kidnaps the discussion occupied big technical forum many positions, has attracted many person's vision, simultaneously was green the pledge monthly publication 37 issues, the Phrack magazines 60 issue and the security focal point summit also publishes the related article, caused SMB to talk kidnaps into a hot spot. Because is in the window design flaw, this is one kind is unable to realize the very fearful method of attack. This article attempts from the SMB data packet analysis angle to show how to intercept winnt/2k hash, concrete realizes did not announce, front asks the reader to keep firmly in mind the statement.

Explained:
In order to cause the article to be target-oriented, did not discuss about the SMB agreement as well as the SMB conversation process, with time will do not treat seriously, the friend who will be interested please voluntarily do inquire in the appendix reference documents. In the article mentioned if the data packet does not have the special explanation is intercepts through Sniffer pro, and to analyze conveniently, has removed physical frame, IP and the TCP head, only leaves behind NETB and the SMB part.

Main text:

The supposition two machines, one is Client A, one is SMBServer B.

First, session establishment:
Tries to let A visit B the specific resources, has a NETBIOS conversation. A transmits Session request, including undergoes the code the NETBIOS name. B in 139 port monitor connection, after receiving A request, B transmits Session confirm, does not have any content. This has established effective session. And Session request data packet's NETB Type is 0x81, Session confirm data packet NETB Type is 0x82, may through judge these two signs in the procedure to determine whether to produce effective session, then might try to find solution to intercept the SMB package.

Second, Challenge acquisition:
After effective session establishment, started to carry on the connection the confirmation to work, from this in step might obtain the B transmission for A Challenge which produced stochastically by B.
The process is as follows: A transmits a status authentication to B the request, B has a 8 byte Challenge transmission for A stochastically, this Challenge contains, in the B sending back gives A Server in the Response data packet. Intercepts this package after Sniffer pro, removes physical frame, IP and the TCP head, removes 4 bytes again the NETB heads, is left over is a SMB package of content, removes 33 byte long SMB Reponse header again, then makes 36 bytes backward the displacements, following is the length is 8 byte Challenge. Challenge which this obtained us to have needed the server which produces stochastically.
(because this article goal lies in the hash interception realization, therefore in the data packet the byte content's concrete meaning does not make any explanation, only explains the position, as follows also follows this principle. Thought inquire deeply the friend please refer to the appendix the reference documents)