NTLM Hashing and Authentication

Questions and Answers

What hash version was passed to Responder?

Unknown

Version 3 (v3)

Version 2 (v2) (correct)

Version 1 (v1)

What type of file is created in the example?

Password list file

v1 file

Root file

v2 file (correct)

What is used to crack the password in the example?

Winexe

Responder

GitHub

John the Ripper (correct)

What is the password that John the Ripper successfully cracks?

vagrant

What ruleset is used with John the Ripper in the example?

KoreLogic ruleset

What can be accessed using the credentials obtained?

The target system remotely

What is Winexe used for?

Remote administration of Windows systems

What can Winexe be used to do on the target system?

Run applications

What is the initial step in getting passwords with Responder?

Running Responder on the Kali Host

What is observed on the Windows system during this process?

Only an 'Access is denied' message

What is obtained from the output on the Kali box?

The IP address and username of the requesting host

What is done with the obtained hash?

It is tried to be cracked to see if it works on the system

Why is CTRL-C pressed on the Responder window?

To stop Responder from running

What is the purpose of dumping hashes out of Responder?

To process them with John the Ripper

What are the two new files generated after dumping hashes out of Responder?

DumpNTLMv1.txt and DumpNTLMv2.txt

What type of hash can be seen on the next slide?

NetNTLMv2 Hash

What was the purpose of creating NetNTLMv1 and NetNTLMv2 hashes?

To make hashes slower to crack

What is used to add randomness to the NTLMv1 hash?

A server-based nonce

What happens when a client connects to a host using NTLMv1?

The client asks for a nonce and then sends the hashed challenge to the server

What is the purpose of the second nonce in NTLMv2?

To add complexity to the hash creation

How does NTLMv2 protect against rainbow tables?

By using two different nonces

What is the purpose of using Responder in capturing hashes?

To answer LLMNR and NBNS queries

Why is using a fixed challenge on the server side beneficial when capturing hashes?

It allows us to deal with one set of randomness instead of two

Where can the latest version of Responder be obtained?

From GitHub

What is the purpose of running the Get-ComputerDetail.ps1 script?

To get computer details

What is needed to perform certain activities on the domain?

A ticket or hash cached in the session

What is the purpose of running the Invoke-Portscan.ps1 script?

To scan a port on the target Windows machine

What is the tool used to spoof LLMNR and NetBIOS Name Services responses?

Responder

What is used to crack credentials?

John the Ripper

What is the purpose of the PowerView.ps1 script?

The purpose is not specified in the text

What is required to perform some activities on the domain?

A full session on the system

What is the purpose of using cmdlets like Invoke-WebRequest and Invoke-Expression?

To bring along our own code over the Internet

What is the main theme of the summary?

Ways to get onto a target system without using an exploit

What are the two ways Evil-WinRM can bring over code?

Scripts and binaries

What does the -s flag specify in Evil-WinRM?

A script directory location

What can be loaded from the script directory in Evil-WinRM?

Any scripts

What happens when we type 'menu' in Evil-WinRM?

It lists all available scripts

What is the purpose of Bypass-4MSI in Evil-WinRM?

To bypass Windows Antimalware Scan Interface

How do you run a script in Evil-WinRM?

By typing the script name and then running 'menu' again

What is included in the tool by default in Evil-WinRM?

Four commands: Dll-Loader, Donut-Loader, Invoke-Binary, and Bypass-4MSI