[Snort-sigs] pwdump, l0phtcrack, hash extraction

Kreimendahl, Chad J Chad.Kreimendahl at ...361...
Tue Jul 20 08:43:01 EDT 2004

There is a signature for pwdump/etc...


Null sessions are what are typically used to pull out the entire
user/passhash on domain controllers...

So set your target variable to the systems you care about... and you're

-----Original Message-----
From: Brian [mailto:bmc at ...95...] 
Sent: Tuesday, July 20, 2004 9:11 AM
To: Matt Sheridan
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] pwdump, l0phtcrack, hash extraction

On Tue, Jul 20, 2004 at 09:05:32AM -0400, Matt Sheridan wrote:
> I may be missing something obvious - but I cant seem to find a snort
> for pwdump/3 or and other hash extraction utility. I havent myself
done a 
> packet analysis, so it may just be a lack of fingerprint.  I have a 
> secondary comercial IDS which does have a signature for pwdump, which 
> indicates some matter of identification. If I am missing something 
> out-of-the-box, forgive me. Any thoughts?

grab a pcap, and write a rule for it.  :)

If you want someone else to write a rule for it, grab a pcap and
forward it to the list.  (or to myself if you don't want to share with
the whole world)

This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list