Leet Sheet
  • Leet Sheet
  • TODO
  • Reconnaissance
    • Automated Reconnaissance
    • Domains
    • Scour the Web
    • Metadata
  • Web App Hacking
    • Enumeration
      • Webserver Virtualhost Subdomains
      • Common Identifiers
      • Web Fuzzing
      • Directory Enumeration
        • Automated Directory Enumeration
        • Manual Directory Enumeration
      • Automated Web Technology Detection
    • User Attacks
      • CORS Misconfigurations
      • DNS Rebinding
      • Open Redirect
      • Clickjacking
      • Cross Site Request Forgery (CSRF)
      • Session Fixation
      • XSS/Cross Site Scripting
      • CSS Injection
      • HTML Injection
      • Phishing
    • Database Attacks
      • SQL Injection
      • Get a Shell From DB Connection
    • Server Attacks
      • Collisions
      • Server Side Request Forgery
        • Redis SSRF
      • Insecure Direct Object Reference
      • Timing-Based Side-Channel Attacks
      • Attacking Authentication Methods
        • JWT Attacks
        • Brute Forcing Web Forms
      • Loose Comparisons
      • Unrestricted File Upload
      • Insecure Deserialization
      • Command Injection
      • Path Traversal
      • File Inclusion
      • Server-Side Template Injection
      • XML External Entities Injection (XXE)
      • Server Misconfigurations
      • Parser Inconsistencies
      • Bypassing WAFs
    • DNS Attacks
    • Cloud Attacks
      • Amazon Web Services
    • Interesting Outdated Attacks
      • SQL Truncation
  • Network Hacking
    • General Enumeration
    • RPC
    • LDAP
    • SMB
    • SNMP
    • WMI
    • SSH
    • Kerberos
    • NTLM
    • Man-In-the-Middle (MITM)
    • WinRM
  • Post Exploitation
    • Windows
      • CLI Tips
      • Shells
      • Windows Script Host
      • Windows Privilege Escalation
        • Enumeration
        • JuicyPotato/RottenPotato
        • Kernel Exploits
        • Unquoted Service Paths
      • Active Directory
      • Dumping Passwords
      • NTLM Hash Theft
    • Linux
      • Port Forwarding
      • Shells
      • Linux Privilege Escalation
        • Enumeration
        • SUID Bit
        • Dot (.) In PATH
        • Escape From Restricted Shell
        • Symlink Trickery
        • Wildcard Injection
        • Docker group/LXD group
        • Password Reuse
      • Backdoors
    • Docker Container
    • General
  • Various
    • CVEs
    • SSH Agent Hijacking
    • Password Cracking
    • Cryptography
    • Non-Hacking
    • Malware
    • Forensics
      • Reading Keystrokes from USB PCAP Data
  • Binary Exploitation
    • Resources
    • Base Knowledge
    • Format String Exploits
    • Stack Smashing
    • Heap Exploits
    • Time-of-Check to Time-of-Use (TOCTOU)
    • Shellcode
    • Decompilation
    • Debugging
    • Exploit Mitigations and Protections
    • Exploit Protection Bypassing
    • Passing Input
    • Fuzzing
    • Automatic Exploitation
  • Physical Security
    • Mechanical Locks
    • Electronic Locks
    • Other Attacks
    • Destructive Entry
    • Elevator Attacks
  • Social Engineering
    • Phishing
Powered by GitBook
On this page
  • Pass The Hash
  • LLMNR/NBT-NS Poisoning
  • NTLM Relaying
  • WPAD

Was this helpful?

  1. Network Hacking

NTLM

Techniques for stealing and abusing NTLM credentials

PreviousKerberosNextMan-In-the-Middle (MITM)

Last updated 2 years ago

Was this helpful?

Pass The Hash

The NTLM hash of a user’s password is used in the NTLM challenge-response authentication protocol. Therefore, if you know the user’s NTLM hash, you can impersonate that user for services that rely on NTLM challenge-response.

To find exact commands, look for an article for the specific service you want to pass the hash to. , for example.

LLMNR/NBT-NS Poisoning

If a DNS server doesn’t know the location of something, then an LLMNR / NBT-NS query is sent out over the local network. For example, this can happen when the user mistakenly writes //pintserver instead of //printserver. These queries are meant for identifying hosts when DNS fails.

An attacker can listen and respond and respond to the victim to send the request to the attacker. The victim's computer then sends out the victim's credentials for authentication to the desired service. The resulting NTLM hash can be cracked or used for pass the hash.

A good tool for this is Responder:

NTLM Relaying

If you (for example) have MitM with a client, and that client is trying to connect to some resource using the NTLM protocol, then you can relay the authentication messages and connect to it yourself, instead of the client.

NTLM is cross-protocol. For example, in HTTP, the NTLM authentication messages are sent within the “Authorization” header. An attacker can take these messages out of the HTTP header and use them instead in SMB, for example.

NTLM is supported in several protocols, including SMB, HTTP(S), LDAP, IMAP, POP3, MSSQL.

You can get NTLM traffic in several ways

  • Traffic to hosts for which the IP is resolved in an insecure manner

    • When the client is configured for DNS servers that don’t exist anymore

    • NBT-NS and LLMNR poisoning

  • Traffic resulting from the abuse of AutoDiscovery protocols (WPAD)

    • WPAD is Windows Proxy Auto Detection. Looks for a hostname called WPAD via DNS, and if not successful, via LLMNR and NBNS, allowing for attacks. Several things about this were patched by Microsoft in June 2016 but I guess older versions are still vulnerable

  • Traffic which is obtained through a man-in-the-middle attack

    • Arp spoofing

    • Intercepting non-TLS traffic (using ARP spoofing for example), then redirecting this traffic to a location that the victim’s workstation trusts. If Automatic Intranet Detection is enabled (default), then the client will automatically authenticate (to SMB for example, if I understood correctly)

Use ntlmrelayx for this. Here’s a good blog post detailing how it’s done:

WPAD

GitHub - SpiderLabs/Responder: Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.GitHub
https://www.fox-it.com/en/insights/blogs/blog/inside-windows-network/www.fox-it.com
Logo
Main article
SMB article