Using NTLMv2 Hashes in Penetration Testing

TL;DR

NTLMv2 hashes are commonly found during penetration tests and can be used for various attacks to gain access to systems. This guide explains how to find them, crack them offline, and use them for pass-the-hash or pass-the-ticket attacks.

Finding NTLMv2 Hashes

1. Mimikatz: The most common tool. It extracts credentials (including NTLM hashes) from memory.
   • Run Mimikatz as an administrator on the target system.
   • Use the sekcmd:: module to dump hashes.

     mimikatz sekcmd::log "hashes.txt"

2. Responder: Captures NTLMv2 challenges during network authentication attempts (e.g., SMB, HTTP).
   • Configure Responder on a machine within the target network.
   • It passively listens for broadcasts and captures hashes when users authenticate to services it’s spoofing.

     responder -I eth0 -w

3. BloodHound: While not directly extracting hashes, BloodHound ingests data collected by SharpHound which *can* include hash information if the attacker has sufficient privileges.
4. LSASS Memory Dump: Directly dumping the LSASS process memory can reveal NTLM hashes. This requires elevated privileges and tools like Procdump.

   • procdump -ma lsass.exe lsass.dmp

   • Then use Mimikatz to parse the dump:

     mimikatz "sekcmd::dump $lsass_dump"

Cracking NTLMv2 Hashes

1. Hashcat: A powerful password cracking tool.
   • Convert the hashes to a Hashcat-compatible format. For example, using John the Ripper:

     john --format=NTLM hashes.txt

   • Run Hashcat with appropriate wordlists and rules.

     hashcat -m 1400 hashes.txt rockyou.txt

2. John the Ripper: Another popular cracking tool, often easier to use for simple cracks.
   • Use the same conversion command as above (john --format=NTLM hashes.txt).
   • Run John with wordlists and rules:

     john hashes.txt rockyou.txt

3. Online Hash Databases: Check if the hashes exist in known breach databases (e.g., using tools like CrackStation).

Using Cracked or Uncracked Hashes

1. Pass-the-Hash: Use the hash directly to authenticate to a system without knowing the plaintext password.
   • Tools like Metasploit and Impacket’s psexec can use Pass-the-Hash.

     psexec.py -accepteula user@target_host:445 target_host hash

2. Pass-the-Ticket: If Kerberos tickets are available (often obtained alongside NTLM hashes), use them to authenticate.
   • Tools like Mimikatz can inject tickets into the LSASS process.

     mimikatz "kerberos::ptt ticket.kirbi"

3. Over-the-Hash (PtH): Similar to Pass-the-Hash, but uses a more modern authentication protocol.

Important Considerations

• Hash Length: NTLMv2 hashes are 32 characters long.
• Salt: NTLMv2 includes a salt, making rainbow table attacks less effective (but not impossible).
• Auditing: Monitor for suspicious authentication attempts and LSASS process access.
• Defensive Measures: Implement Account Lockout Policies, enforce strong passwords, and consider disabling NTLM where possible.