11

I am on a penetration test at the moment, where LM/NTMLv1 hashes are disabled. I have captured a number of NTLMv2 hashes via NBNS spoofing, however was unable to crack them after running them through rainbow tables.

I was able to crack some credentials due to the password being the same as the username, however I have been unable to use these credentials to get anywhere. RDP is locked down to only specific users and I have not been able to connect to any machine via psexec (access denied).

Passing the hash does not work with NTLMv2 so I fear I may be out of options, but would like to get suggestions for anything else I could try. I have a number of NTLMv2 hashes and a few valid user credentials.

Sonny Ordell
  • 3,476
  • 9
  • 33
  • 56

1 Answers1

6

You can relay or forward an NTLMv2 response but the attacks may require scenario planning and/or tool changes. There may be advanced ways of cracking the hashes that you haven't yet thought about as well.

For further information on relaying, check out --

For a list of nearly 50K NTLM hashes (of which less than 15K were successfully cracked by the competing teams) that were part of the largest cracking contest in history, see the "Crack Me If You Can" (CMIYC) 2014 DEFCON Contest -- http://contest-2014.korelogic.com

In particular, you may want to look at the previous 2010 contest's open set of wordlists and rules. I also found this blog post useful for combining techniques as well as a methodology to password cracking highly-focused on NTLM in modern environments -- http://winterspite.com/security/information-assurance-and-password-policies/

For pre-generated rainbowtables that cover the NTLM space, check out -- http://objectif-securite.ch/en/ophcrack.php

techraf
  • 9,141
  • 11
  • 44
  • 62
atdre
  • 18,885
  • 6
  • 58
  • 107