Capturing And Cracking NTLMv2 Hashes On The LAN

Target Name: John Doe
Target box: 172.17.130.111 (domain joined)
Attack/facilitator box: 172.17.130.76 (Kali Linux)
Wireshark box: 172.17.130.76 (Kali Linux)

With a comprised host on the network, the idea is to get an unsuspecting victim to click a link to a network share from their workstation. As a result, when they do, it will ultimately pass NTLM challenge/response packets which can be captured and viewed using Wireshark.  Below is the process for capturing such packets, rebuilding them into a format that is usable by hashcat for the purposes of cracking their Active Directory password.

First the “victim” (John Doe) must be convinced to click on a link.  This really isn’t all that difficult but outside of the scope of this document.  Consider an email message with a link to \\172.17.130.76 (attacker/facilitator machine). Prior to clicking, we want Wireshark to be open and listening on the appropriate interface in order to capture the required packets.

Capture1

The quickest way to find the packets we are most concerned with is to setup a filter for “ntlmssp”.  From there, we only need two packets: The highlighted line, and the one directly below it.

Capture2

At this point, we want to have a text editor open so that we can copy the values from the below screenshots as plain text.  After everything is pasted into the editor, it will need to be rearranged into a particular order.

Capture3

It is important to capture the NTLMv2 Response as “Hex Stream”.

Capture4

Below is an example of the information one would need to properly built the challenge/response information back into a format that is able to be cracked. The domain username and domain name can be gleaned from the NTLMSSP_AUTH packet (2nd one in the original screenshot)  The most important thing to notice is the location of the colons. Specifically, there MUST be a colon after the first 32 bits of the NTLM RESPONCE.  This usually where you will notice a few 010101’s. Also, notice the double colons (::) after the domain username too.

Capture5

This entire string needs to be saved into a single line text file (again, remember the placement of the colons):

Capture6

Once in a text file, this file can be piped through hashcat and against your favorite wordlists using the following command:

hashcat -m 5600 asdf.txt wordlist.txt

Capture7

As seen in the screengrab above, the password for John Doe’s AD account is “Summer2016”

 

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s