Forensic Blogs

An aggregator for digital forensics blogs

by

WebDAV, NTLM & Responder

I was trying to create a capture file with NTLM authenticated WebDAV traffic, using Responder: I couldn’t get it to work. There was WebDAV traffic, but no NTLMSSP headers.

Long story short: there’s a bug in Responder version 2.3.3.9. It manifests itself when the WebDAV client sends a request with just headers, and “Content-Length: 0”, like this:

The code in Responder “sees” just “Content-Length” and waits for more packets:

I made a quick & dirty fix: break out of the loop when we see “Content-Length: 0” (servers/HTTP.py):

And now I have NTLMSSP headers:

I just start my modified version of Responder:

Generate WebDAV traffic from a Windows 7 client:

And Responder participates in the challenge:

This can of course be cracked (if the password is not too complex), with John The Ripper for example:

I also have a blog post with more details about WebDAV traffic from Windows clients.

Once I got Responder to work, I searched on Laurent’s Responder repository, and found a pull-request to fix issues with “Content-Length: 0” requests (this PR has not been merged yet). Hence I’m not going to do my own PR.

You can find the capture file here:

webdav-ntlm-responder.zip (https)
MD5: A427DDBDAF090E93BB75B7A8DE696826
SHA256: 2F92CDD7382DD3622AC1F8769CF9D065C60C235DEF764E6709C32E2C4A7554A8

by

Quickpost: Retrieving an SSL Certificate with nmap

One of my first quickposts, more than 10 years ago, was an howto: using openssl to retrieve the certificate of a web site.

Since then, nmap has a scripting engine, and there is a script to check a certificate with nmap: ssl-cert.nse.

You just have to scan the site and port for which you want to check the certificate, like this: nmap -p 443 –script ssl-cert didierstevens.com

If you want the certificate too, increase verbosity with option -v:

Checking a certificate will not work if you scan a port that is not known to provide SSL/TLS:

In that case, you have to use service discovery (-sV):

 

Quickpost info

by

Update: msoffcrypto-crack.py Version 0.0.3

This is a bug fix update: for agile encryption, Python module msoffcrypto does not throw an exception in method load_key when an invalid password is provided. It throws an exception when an attempt is made to decrypt the file.

I added a call to method decrypt to handle this case.

msoffcrypto-crack_V0_0_3.zip (https)
MD5: 45BAB81D744DA62182EC58A8F2E05BFE
SHA256: CF9DE02C72C07C07786BE09551CD17F6DBB83BCEF2A1C5435E06A695D7C6770E