Sniffing and Cracking Windows Authentication Exchanges

Although any authentication mechanism can theoretically be compromised, attackers generally focus on the weakest link. While Kerberos authentication exchanges are subject to attack, these are more complicated and thus less likely to be successful in a reasonable period of time than attacks against LanMan or NTLM authentication. Thus, we are going to focus on the weakest member of the group of authentication processes covered thus far.

It is important to understand when authentication happens between two Windows systems. An authentication takes place whenever a process on one system attempts to access a resource on another system. An example would be when a user attempts to map a network drive, ...

Get Mastering Windows Network Forensics and Investigation, 2nd Edition now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.