Which tool can crack Windows SMB passwords by listening to network traffic?

The concept here is credential capture from network traffic and offline cracking. Windows SMB authentication often uses NTLM (or LD/LM in older setups), and if an attacker can place themselves on the same network path, those authentication exchanges can be captured as hashes rather than passwords. Once an attacker has those hashes, they can crack them offline to recover the plaintext password. Cain and Abel is the best fit because it combines network sniffing to intercept SMB authentication data with built-in capabilities to crack captured NTLM/LM hashes. It can perform techniques like ARP spoofing to position the attacker as a man-in-the-middle, capture the credentials as they’re transmitted, and then crack the hashes using various attack methods. Wireshark by itself just captures traffic; it does not crack passwords. John the Ripper can crack captured hashes if you provide them, but it doesn’t capture traffic on its own. The statement that this is not possible misses the typical capture-and-crack workflow using tools like Cain and Abel. Note that on modern networks with SMB signing and encryption, this kind of credential theft becomes significantly harder and less reliable, but the basic concept—capturing credentials from traffic and cracking them offline—is a known technique.