NTLM Hashing and Authentication

Questions and Answers

What hash version was passed to Responder?

• Unknown
• Version 3 (v3)
• Version 2 (v2) (correct)
• Version 1 (v1)

What type of file is created in the example?

• Password list file
• v1 file
• Root file
• v2 file (correct)

What is used to crack the password in the example?

• Winexe
• Responder
• GitHub
• John the Ripper (correct)

What is the password that John the Ripper successfully cracks?

vagrant (C)

What ruleset is used with John the Ripper in the example?

KoreLogic ruleset (D)

What can be accessed using the credentials obtained?

The target system remotely (C)

What is Winexe used for?

Remote administration of Windows systems (D)

What can Winexe be used to do on the target system?

Run applications (D)

What is the initial step in getting passwords with Responder?

Running Responder on the Kali Host (D)

What is observed on the Windows system during this process?

Only an 'Access is denied' message (B)

What is obtained from the output on the Kali box?

The IP address and username of the requesting host (D)

What is done with the obtained hash?

It is tried to be cracked to see if it works on the system (C)

Why is CTRL-C pressed on the Responder window?

To stop Responder from running (A)

What is the purpose of dumping hashes out of Responder?

To process them with John the Ripper (D)

What are the two new files generated after dumping hashes out of Responder?

DumpNTLMv1.txt and DumpNTLMv2.txt (B)

What type of hash can be seen on the next slide?

NetNTLMv2 Hash (C)

What was the purpose of creating NetNTLMv1 and NetNTLMv2 hashes?

To make hashes slower to crack (A)

What is used to add randomness to the NTLMv1 hash?

A server-based nonce (A)

What happens when a client connects to a host using NTLMv1?

The client asks for a nonce and then sends the hashed challenge to the server (D)

What is the purpose of the second nonce in NTLMv2?

To add complexity to the hash creation (A)

How does NTLMv2 protect against rainbow tables?

By using two different nonces (B)

What is the purpose of using Responder in capturing hashes?

To answer LLMNR and NBNS queries (A)

Why is using a fixed challenge on the server side beneficial when capturing hashes?

It allows us to deal with one set of randomness instead of two (D)

Where can the latest version of Responder be obtained?

From GitHub (A)

What is the purpose of running the Get-ComputerDetail.ps1 script?

To get computer details (D)

What is needed to perform certain activities on the domain?

A ticket or hash cached in the session (C)

What is the purpose of running the Invoke-Portscan.ps1 script?

To scan a port on the target Windows machine (C)

What is the tool used to spoof LLMNR and NetBIOS Name Services responses?

Responder (C)

What is used to crack credentials?

John the Ripper (C)

What is the purpose of the PowerView.ps1 script?

The purpose is not specified in the text (D)

What is required to perform some activities on the domain?

A full session on the system (D)

What is the purpose of using cmdlets like Invoke-WebRequest and Invoke-Expression?

To bring along our own code over the Internet (C)

What is the main theme of the summary?

Ways to get onto a target system without using an exploit (B)

What are the two ways Evil-WinRM can bring over code?

Scripts and binaries (C)

What does the -s flag specify in Evil-WinRM?

A script directory location (D)

What can be loaded from the script directory in Evil-WinRM?

Any scripts (C)

What happens when we type 'menu' in Evil-WinRM?

It lists all available scripts (C)

What is the purpose of Bypass-4MSI in Evil-WinRM?

To bypass Windows Antimalware Scan Interface (D)

How do you run a script in Evil-WinRM?

By typing the script name and then running 'menu' again (C)

What is included in the tool by default in Evil-WinRM?

Four commands: Dll-Loader, Donut-Loader, Invoke-Binary, and Bypass-4MSI (C)