1. Yes, but if he truly got the hash, then you have other security issues to
worry about. Windows never sends the hashes over the network--instead,
they're used the computation of challenge-response pairs. To get the hashes
directly you break into the authentication server on the network--typically
the domain controller.
2. Yes, it uses Kerberos. Remember, though, that Kerberos uses NT hashes.
See #1 above.
3. Don't get your hashes stolen. Configure your systems not to generate
LanMan (LM) challenge-response pairs. Abandon "complex" passwords in favor
of long passphrases. See Jesper's article at
http://blogs.technet.com/jesper_johansson/archive/2005/10/13/410470.aspx for
more details, and his presentation at
http://download.microsoft.com/download/f/4/a/f4a67fc8-c499-461d-a025-8...fb4f7a0
Steve Riley
steve.riley DeleteThis @microsoft.com
http://blogs.technet.com/steriley
"guru2003" <guru2003 DeleteThis @discussions.microsoft.com> wrote in message
news:74A1278B-4682-45A0-9110-84D2B8B45681@microsoft.com...
> we are having windows 2000 domain controller. clients are windows xp
> professional.
>
> our auditor used cain and abel and sniffed the login traffic. He said he
> got
> the NTLM Hash. Using some password cracker , since password was simple he
> cracked it too.
>
> I have a few questions
>
> First, is this possible?
>
> Second, When I login from windows xp professional to windows 2000 DC , are
> we not using kerberos? Can kerberos login traffic be sniffed and
> password-hash extracted.?
>
> Third , Apart from using long and complex passwords any other mechanism to
> safeguard against this?
>
>
Microsoft Windows (other)