Ethereal-users: Re: [Ethereal-users] Lanman Hashes

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <guy@xxxxxxxxxx>
Date: Mon, 3 Feb 2003 16:19:28 -0800
On Mon, Feb 03, 2003 at 07:02:15PM -0500, Robert Brugman wrote:
> Hey Everyone, I have another question,
> Is there any way to capture Windows LanMan hashes with ethereal without 
> having an IP address?

LanMan hashes presumably get passed over the network in SMB and other
packets, in which case "is there any way to capture Windows LanMan
hashes without having an IP address" devolves to

	1) "is there any way to capture Windows LanMan hashes?"

plus

	2) "is there any way to capture network traffic without having
	   an IP address?"

as there's nothing special about traffic with LanMan hashes if you're
doing the sort of "third party" sniffing you were talking about in your
previous message.  (If it's not third-party sniffing, the only way
you're going to capture LanMan hashes is if your machine sends or
receives one, which will probably require that your machine have an IP
address unless you're using NBF, and I suspect Apple didn't bother
supporting SMB-over-NBF, just SMB-over-{NetBIOS-over-}TCP.)

You've already asked question 2) and gotten an answer to that.

That leaves question 1), for which the answer is "yes, as long as this
isn't one of those cases where a switch or dual-speed hub causes a
problem, and as long as your interface supports promiscuous mode":

	http://www.ethereal.com/faq.html#q5.1

as long as the traffic with the LanMan hashes goes through the hub to
which you referred in your previous message.