I was trying to create a capture file with NTLM authenticated WebDAV traffic, using Responder: I couldn’t get it to work. There was WebDAV traffic, but no NTLMSSP headers.
Long story short: there’s a bug in Responder version 2.3.3.9. It manifests itself when the WebDAV client sends a request with just headers, and “Content-Length: 0”, like this:
The code in Responder “sees” just “Content-Length” and waits for more packets:
I made a quick & dirty fix: break out of the loop when we see “Content-Length: 0” (servers/HTTP.py):
And now I have NTLMSSP headers:
I just start my modified version of Responder:
Generate WebDAV traffic from a Windows 7 client:
And Responder participates in the challenge:
This can of course be cracked (if the password is not too complex), with John The Ripper for example:
I also have a blog post with more details about WebDAV traffic from Windows clients.
Once I got Responder to work, I searched on Laurent’s Responder repository, and found a pull-request to fix issues with “Content-Length: 0” requests (this PR has not been merged yet). Hence I’m not going to do my own PR.
You can find the capture file here:
webdav-ntlm-responder.zip (https)
MD5: A427DDBDAF090E93BB75B7A8DE696826
SHA256: 2F92CDD7382DD3622AC1F8769CF9D065C60C235DEF764E6709C32E2C4A7554A8
Didier Stevens 
[…] WebDAV, NTLM & Responder […]
Pingback by Overview of Content Published in May | Didier Stevens — Saturday 1 June 2019 @ 0:00