I am currently doing a penetratiion test, and have captured a bunch of NTLM hashes via NBSN spoofing.
An example (this is not taken from what I captured, and is random but the format is the same) would be:
[*] SMB Captured - 2014-12-11 11:20:00 -0500
NTLMv1 Response Captured from 1.1.1.1:62222 - 1.1.1.1
USER:justauser DOMAIN:JUSTADOMAIN OS: LM:
LMHASH:Disabled
NTHASH:1b62d8db74e0d7102334bc7dcc224d7daecd3e2041ad0921
I had thought that this NTHASH could be used with a pass the hash attack, however setting it as the parameter for the SMBPass option in metasploits psexec module fails.
Am I doing something wrong? It is my understanding that if a NTLMv1 hash is captured it does not need to be cracked.
