Didier Stevens

Syndicate content Didier Stevens
(blog \'DidierStevens)
Updated: 3 min 57 sec ago

WebDAV, NTLM & Responder

Mon, 2019/05/20 - 02:00
I was trying to create a capture file with NTLM authenticated WebDAV traffic, using Responder: I couldn’t get it to work. There was WebDAV traffic, but no NTLMSSP headers. Long story short: there’s a bug in Responder version 2.3.3.9. It manifests itself when the WebDAV client sends a request with just headers, and “Content-Length: 0”, like this: The code in Responder “sees” just “Content-Length” and waits for more packets: I made a quick & dirty fix: break out of the loop when we see “Content-Length: 0” (servers/HTTP.py): And now I have NTLMSSP headers: I just start my modified version of Responder: Generate WebDAV traffic from a Windows 7 client: And Responder participates in the challenge: This can of course be cracked (if the password is not too complex), with John The Ripper for example: I also have a blog post with more details about WebDAV traffic from Windows clients. Once I got Responder to work, I searched on Laurent’s Responder repository, and found a pull-request to fix issues with “Content-Length: 0” requests (this PR has not been merged yet). Hence I’m not going to do my own PR. You can find the capture file here: webdav-ntlm-responder.zip (https)
MD5: A427DDBDAF090E93BB75B7A8DE696826
SHA256: 2F92CDD7382DD3622AC1F8769CF9D065C60C235DEF764E6709C32E2C4A7554A8
Categories: Security Posts