1

The tool Responder written in Python permits to listen on a specific network card requests and automatically poisoning victims the steal hash NTLMv1 and hash NTLMv2.

The attack Pass-The-Hash permits to connect to a service like SMB. I am a little bit confused about difference between hash LM and hash NTLM and so the consequences of a Pass-The-Hash attack. I know that it's also possible to crack the hash NTLMv1 or NTLMv2 with John for example.

From the premise that password is complex and it's not possible to brute-force it, apart connect to a share and get some sensitive files :

  1. What can do an attacker on the same network ?
  2. Is it possible to forge connect to RDP service for example ?
  3. Is it possible to forge a sliver/gold Kerberos ticket ?
Anonyme
  • 274
  • 2
  • 8

1 Answers1

2

Responder gathers NetNTLMv1 and NetNTLMv2 hashes, to be precise. These hashes are generated as part of a challenge-response mechanism, and as a result in much harder to crack than LM or NTLM hashes, which are based on a not-so-strong encryption algorithm.

  1. An attacker running Responder inside a network can use a tool such as NTLMRelayx from impacket to relay the credentials to any SMB server which has SMB Signing disabled. Note that the attacker cannot relay these credentials back to the service on the same system from where the hashes were captured.

  2. Although an attacker cannot RDP to a server using relaying, they should still be able to gain administrative access to the server through SMB (provided the credentials relayed belonged to a privileged user)

  3. No, an attacker cannot forge golden/silver ticket using just the NetNTLMvx hashes.

Sachin S Kamath
  • 488
  • 3
  • 7