NTLMv1

NT LAN Manager version 1 (NTLMv1) is vulnerable to several attacks and should be disabled in environments whenever possible. All Microsoft operating systems support its successor NT Lan Manager version 2 (NTLMv2) which should be used instead.

A NTLMv1 hash is formatted like the following:

username::hostname:response:response:challenge -> NTHASH:response

Downgrading

It is possible in environments where NT LAN Manager version 1 is utilized to obtain an NTLMv1 hash from a target computer.

While this was partially described in the Coercion section, prior to receiving a callback we need to run Responder, after modifying the 'Challenge' variable to 1122334455667788. We can then run Responder with the following options:

# Receive and attempt to crack the hash with crack.sh's rainbow tables
Responder.py -I $interface --lm 

# Attempt to remove ESS/SSP and crack locally or for a fee
Responder.py -I $interface --lm --disable-ess

Cracking NTLMv1

Referencing crack.sh, a NTLMv1 hash with ESS/SSP looks like the following:

hashcat::DUSTIN-5AA37877:85D5BC2CE95161CD00000000000000000000000000000000:892F905962F76D323837F613F88DE27C2BBD6C9ABCD021D0:1122334455667788

After obtaining a hash with ESS/SSP, we first need to reformat the obtained hash using EvilMog's NTLMv1-multi tool or assless-chaps and cracked with a database of NT hashes.

Attacking a Domain Controller

If NTLMv1 is enabled, you can leverage the ability where DC's have the ability to modify their own msDS-KeyCredentialLink attribute. It should be noted this requires two domain controllers to exploit.

References

Cracking NTLMv1 \w ESS/SSPcrack.sh

NTLMv1 vs NTLMv2: Digging into an NTLM Downgrade AttackPraetorian

Practical Attacks against NTLMv1TrustedSec