Questions tagged [ntlm]
NT LAN Manager (NTLM) is a series of protocols developed by Microsoft.
59
questions
1
vote
1
answer
119
views
Can NTLM pass-through authentication be done without NetLogon?
In any "recent" documentation regarding NTLM (Microsoft) I see it stated that the mechanism of pass-through authentication is done over a NetLogon channel, which should be secure. This ...
- 11
0
votes
0
answers
178
views
Impossible NTLMv2 hash format with Responder lm option
While doing an internal assessment, I stumbled upon a very weird looking NTLMv2 hash (I will not use the "Net-NTLM" terminology but I'm talking about the NTLM protocol ) while using ...
- 1
0
votes
1
answer
141
views
It is possible to receive ntlm response with ipv6. What about ipv4?
I performed ntlm relay attack with mitm6 and ntlmrelayx. I used mitm6 for dns spoofing. When the victim sent a query containing where the DHCP is located, I identified myself as the DHCP server. Then ...
- 13
0
votes
0
answers
162
views
Using rainbow tables to obtain the first 7 characters of a windows password(LM/NTLMv1)
I am trying to understand how an attacker is able to use the halflm challenge rainbow table to obtain the first 7 characters of a windows password that was used to authenticate a user using LM/NTLMv1. ...
- 195
3
votes
2
answers
2k
views
Kerberos - NTLM Password Hashes - Questions!
I have worked as a system administrator mainly on Widnows Server for some years now.
Over the course of time I've always had a hard time trying to fully understand how Kerberos work.
For about 3 weeks ...
0
votes
1
answer
636
views
How to generate actually valid NTLM hash for chntpw (for SAM hive file injection)
I am currently working on a solution to at least try to implement a working/modern "change password" option to chntpw.
First of all: Windows uses this format in its hive file:
root@rescue /...
3
votes
0
answers
318
views
Can hashes labeled 'lm' in SAM database mimikatz dump be another type than (NT)LM?
When I dump the password history hashes stored in the SAM database with mimikatz lsadump::dcsync tool, for every i'th password (re-)set by a SAM account there are two hashes stored by Active Directory ...
0
votes
1
answer
3k
views
pwdump8-8.2 correct hash for Microsoft Account Win10
I am having a real issue cracking one NT hash i've pulled from my system for a Microsoft Account.
I used - PwDump8.2
I have an admin account unlocked on the system and can access most files.
I know ...
- 5
0
votes
1
answer
681
views
Are there other types of NT Password (NTLM Hash) besides raw MD4?
According to the freeradius document https://freeradius.org/radiusd/man/rlm_pap.txt I can use NT-Password as the type of storing user's password. However, I have only found the type of generating raw ...
- 101
1
vote
1
answer
1k
views
Downgrade of NTLM Authentication
I have been experimenting NTLM and its different relay mitigations, including MIC and channel bindings.
In my understanding:
NTLM auth starts with a negotiation packet sent by the client. In this ...
- 33
1
vote
1
answer
404
views
Watering Hole Website NTLM Steal Attack
I'm trying to recreate a Watering hole SMB theft attack where you send a victim a link to your website containing code like file://ip/file.gif.
Causing forced authentication which passes the NTLM hash....
1
vote
1
answer
703
views
How NTLM SSO is preformed on smartcard Kerberos logon?
I have been researching kerberos and ntlm for the last couple of days and still got one thing unresolved.
After an interactive logon with kerberos, you will have in the cached credentials both ...
- 33
1
vote
0
answers
543
views
Hardware for password cracking
I'm planning to extend my pentest services to Password Cracking, to be more precise: Cracking Active Directory Passwords, extracted from the customers Active Directory in order to check users ...
- 129
1
vote
0
answers
152
views
Is the ability to export HKEY_LOCAL_MACHINE\SAM and HKEY_LOCAL_MACHINE\SYSTEM as .reg files a security concern?
I am concerned that if it is possible to copy these as .reg files (without privs) and then (on another machine) reverse the .hiv files from them... this would probably be bad, which makes me think it'...
- 103
0
votes
0
answers
422
views
Running Responder outputs many hashes per user, how is this possible?
I am running Responder on Kali Linux within a client network using the following command
sudo responder -I eth0 -w -r -d
which is capturing many hashes in the environment. Responder is a LLMNR, NBT-...
- 885