(03-03-2015, 03:13 PM)coolbry95 Wrote: Based on the write up you need to just dump the credentials. Then use the md5 hash from the credentials database. There is no need to sniff the hash over the network. Although in theory you could also sniff the hash over the network and still do pth. I believe this is possible I may be wrong. From the write up it also seems they use ssl so you would have that to deal with also.
You cannot do pth with the captured hashes, because H(P) is never transmitted over the wire, only H(P . R) is. Here P is the password and R is the random nonce as used in the article. Since H is a one way function you cannot recover H(P) from H(P . R) efficiently.
Edit: It seems that R is 4 bytes only, so you have 1/2^32 chance of success; the case when the nonce is the same.