Need some help! I have an issue! I am trying to capture NTLM hashes from the network. This is what I want to achieve..
I want with wireshark or cain sniff the network for Active directory handshakes. In somehow capture the NTLM hashes when the user is authenticated against Microsoft Active directory. I am trying to accomplish it with wireshark and I am filtering the traffic using smb, ldap and ntlmssp filters and I have reached a point where the frames contain data that looks like hashes but I am not sure. I tried with l0phtcrack and after hours nothing has been captured. I am trying with cain by enabling NTLM downgrade, challenge spoofing reset and challenge spoofing but with no result, nothing has been captured. When I try all the above (wireshark, cain etc) during sniffing I connect to various shared folders, remote desktops and computers that belongs to active directory. I believe that with wireshark I am pretty close but cant tell for sure.
Can anyone help or point me in the right direction?
I noticed that when I connect from a linux machine to a windows shared folder cain captures the hash!
?
