[Snort-sigs] pwdump, l0phtcrack, hash extraction
matt at ...2436...
Tue Jul 20 09:44:02 EDT 2004
I don't believe a null session is used with pwdump. It's got to have
admin rights to run pwservice.exe and get the hashes.
What I see hit when using pwdump3e are:
NETBIOS SMB-DS ADMIN$ share unicode access
NETBIOS SMB-DS Create AndX Request winreg unicode attempt
And the 2 rules I put up on bleedingsnort.com as well. Since the 2 above
can hit for legitimate traffic they aren't a good indication of hostile
Kreimendahl, Chad J wrote:
> There is a signature for pwdump/etc...
> NETBIOS NT NULL session
> Null sessions are what are typically used to pull out the entire
> user/passhash on domain controllers...
> So set your target variable to the systems you care about... and you're
More information about the Snort-sigs