SNIFFING AND CRACKING NTLM HASHES

# SNIFFING AND CRACKING NTLM HASHES ###### tags: `ntlm` `windows` `active directory` `responder` `inveigh` ## :book: INTRODUCTION ### What's NTLM? If you are acquainted with Active Directory, surely you known the NTLM hash concept. Is one of the two possibles authentication protocol in a Windows machine, with Kerberos. ![](https://i.imgur.com/PSK9b14.gif) :::info :pushpin: More info about windows logon scenarios [here](https://docs.microsoft.com/es-es/windows-server/security/windows-authentication/windows-logon-scenarios). ::: ### How it works? NTLM use a challenge-response protocol. It is summarised in the next steps: 1. Machine client sends the username and the domain to the domain controller machine. 2. The domain controller machine generates a [16-byte random character string](https://en.wikipedia.org/wiki/Cryptographic_nonce). 3. The machine client encrypts the previous domain controller's key with the user password's hash and sends it to the domain controller machine. 4. The domain controller machine encrypts the key of the step two with the user password stored in the security account database and compares it with the client hash. If the value match, the client machine is allowed. :::info :pushpin: More info about NTLM [here](https://docs.microsoft.com/en-us/windows/win32/secauthn/microsoft-ntlm#:~:text=NTLM%20uses%20an%20encrypted%20challenge,to%20the%20secured%20NTLM%20credentials). ::: ## ## :unlock: ATTACKING ### Sniffing NTLM hashes | Linux With this [tool](https://github.com/SpiderLabs/Responder) (Responder), we can sniff NTLM hash of a Windows Machine from Kali Linux (or other distribution). For this, we only need to execute the next command. ```bash=1 python Responder.py -I eth0 -v ``` ![](https://i.imgur.com/NtiPzLk.png) Now, when a client windows machine search a non-existing share, our responder has gone to capture the NTLM traffic. Once we have obtained the hash, we will cracking it with johntheripper, hashcat or similar. ### Sniffing NTLM hashes | Windows We can obtain the NTLM hashes with [Inveigh](https://github.com/Kevin-Robertson/Inveigh), a tool for Windows. This is a powershell script, and we only have to import the module to be able to use it. ```bash= Set-ExecutionPolicy -ExecutionPolicy Unrestricted Import-Module ./Inveigh.psd1 ``` And for sniffing the network: ```bash= Invoke-Inveigh -ConsoleOutput Y -NBNS Y -mDNS Y -HTTPS Y -Proxy Y -IP <Target IP> ``` ### Cracking the NTLM hash We can crack the NTLM hash with any cracking tool. In this case, I used johntheripper. ```bash= john --format=NT hash --wordlist=dictionary.txt --rules ``` To view the cracked password: ```bash= john --show --format=NT hash ``` :::info Today, it's possible to crack a NTLM hash in <24 hours. More info [here](https://blog.knowbe4.com/8-character-windows-ntlm-passwords-can-be-cracked-in-under-2.5-hours). ::: ## ## :mortar_board: CONCLUSION NTLM authentication should be disabled in the domain to prevent attacks. Thanks for reading.