NTLMSSP: NT LAN Manager (NTLM) Security Support Provider

NTLM NTLMSSP Windows

Introduction

NT LAN Manager (NTLM) is a Microsoft AAA protocol which has its weaknesses. Hence, we wrote a plugin ntlmsspDecode which extracts some vital info and the hash, which can be cracked.

Preparation

First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins:

t2build -e -y

Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied

Then compile the following plugins:

t2build tranalyzer2 basicFlow tcpStates ntlmsspDecode txtSink

...
BUILD SUCCESSFUL

If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:

mkdir ~/data ~/results

The sample PCAP used in this tutorial can be downloaded here: smb2.pcap.

Please save it in your ~/data folder.

Now you are all set for analyzing NTLMSSP traffic!

ntlmsspDecode

Let’s look at the plugin configuration first:

ntlmsspDecode

vi src/ntlmsspDecode.h

...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */

#define NTLMSSP_CLI_CHALL     0 // Output client challenge
#define NTLMSSP_DNS           1 // Output DNS computer/domain/tree name
#define NTLMSSP_NETBIOS       1 // Output NetBIOS computer/domain name
#define NTLMSSP_VERSION       2 // Output format for the version:
                                //     0: do not output the version
                                //     1: output the version as string
                                //     2: output the version as major_minor_build_rev
                                //
#define NTLMSSP_SAVE_AUTH_V1  1 // Extract NetNTLMv1 hashes
#define NTLMSSP_SAVE_AUTH_V2  1 // Extract NetNTLMv2 hashes
#define NTLMSSP_SAVE_INFO     0 // Add flow information in the hashes files

#define NTLMSSP_NAME_LEN     64 // Max length for string output

/* +++++++++++++++++++++ ENV / RUNTIME - conf Variables +++++++++++++++++++++ */

#define NTLMSSP_AUTH_V1_FILE "_NetNTLMv1.txt" // suffix for NetNTLMv1 hashes filename
#define NTLMSSP_AUTH_V2_FILE "_NetNTLMv2.txt" // suffix for NetNTLMv2 hashes filename

/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...

Run t2 on the supplied pcap.

t2conf ntlmsspDecode -D NTLMSSP_CLI_CHALL=1 && t2build ntlmsspDecode

t2 -r ~/data/smb2.pcap -w ~/results/

So the aggregated ntlmsspStat shows that there is indeed NTLM protocol and it contains negotiate, challenge and authenticate messages. As NTLMSSP_NAME_LEN=64 the ntlmsspCliChallenge hash is truncated, but the full hash is extracted in NTLMSSP_AUTH_FILE besides the flow file.

tawk -V ntlmsspStat=0x5f

The ntlmsspStat column with value 0x5f is to be interpreted as follows:

   bit | ntlmsspStat | Description
   =============================================================================
     0 | 0x01        | Flow is NTLMSSP
     1 | 0x02        | Flow contains Negotiate messages
     2 | 0x04        | Flow contains Challenge messages
     3 | 0x08        | Flow contains Authenticate messages
     4 | 0x10        | NetNTLMv1 hash was extracted for this flow
     6 | 0x40        | String output was truncated... increase NTLMSSP_NAME_LEN

If you want to see the full HASH in the flow file increase NTLMSSP_NAME_LEN.

tcol ~/results/smb2_flows.txt

%dir  flowInd  flowStat            timeFirst          timeLast           duration   numHdrDesc  numHdrs  hdrDesc       srcMac             dstMac             ethType  ethVlanID  srcIP            srcIPCC  srcIPOrg           srcPort  dstIP            dstIPCC  dstIPOrg           dstPort  l4Proto  tcpStatesAFlags  ntlmsspStat  ntlmsspTarget  ntlmsspDomain  ntlmsspUser    ntlmsspHost  ntlmsspNegotiateFlags  ntlmsspSessKey                    ntlmsspNTProofStr                                 ntlmsspServChallenge  ntlmsspVersionMajor_Minor_Build_Rev  ntlmsspNbComputer  ntlmsspNbDomain  ntlmsspDnsComputer  ntlmsspDnsDomain  ntlmsspDnsTree  ntlmsspAttrTarget  ntlmsspTimestamp
A     1        0x0400000000004000  1131413212.631817  1131413245.234537  32.602720  1           3        eth:ipv4:tcp  00:0c:29:5c:2e:c7  00:0c:29:30:60:27  0x0800              192.168.114.20   07       "Private network"  49258    192.168.114.129  07       "Private network"  445      6        0x03             0x5b                        VISTA1         Administrator  VISTA1       0xe2888297             ecf0989b0840ad241400e8f985aa11df  ebb89904e84648e500000000000000000000000000000000                        6_0_5231_15                                                                                                                                       0.000000
B     1        0x0400000000004001  1131413212.647561  1131413245.234942  32.587381  1           3        eth:ipv4:tcp  00:0c:29:30:60:27  00:0c:29:5c:2e:c7  0x0800              192.168.114.129  07       "Private network"  445      192.168.114.20   07       "Private network"  49258    6        0x03             0x05         VISTA2                                                    0xe28a8215                                                                                                 f550096e81044aa5      6_0_5231_15                          VISTA2             VISTA2           vista2              vista2                                               1131481062.000000

As we only used this plugin for troubleshooting and NetNTLM hash extraction, no packet info is produced so far. But in smb2_NetNTLMv1.txt, the important NetNTLM hash is extracted!

cat ~/results/smb2_NetNTLMv1.txt

Administrator::VISTA1:ebb89904e84648e500000000000000000000000000000000:53a70a87921a49e4d50772f32b82a90f9ef0bf5a8e9312a2:f550096e81044aa5

Cracking the hashes

Nice, we have extracted the hash… what’s next? Let’s get cracking!

First, download the latest version of hashcat. (Note that John the Ripper could be used as well.)

wget https://hashcat.net/files/hashcat-6.2.1.tar.gz

tar xzf hashcat-6.2.1.tar.gz

cd hashcat-6.2.1

make

Different hashes require different hashcat -m option, so first, we need to known which type of hash we want to crack… This is actually really easy, as NetNTLMv1 hashes are extracted in the smb2_NetNTLMv1.txt file and NetNTLMv2 hashes are extracted in the smb2_NetNTLMv2.txt file! In our example, we can see that the hash extracted is a NetNTLMv1 hash. Let’s see which -m option we need for NetNTLMv1 hashes:

./hashcat --help | grep NetNTLM

   5500 | NetNTLMv1 / NetNTLMv1+ESS                        | Network Protocols
   5600 | NetNTLMv2                                        | Network Protocols

Ok, so we’ll use -m 5500 (-m 5600 for NetNTLMv2). We also need a dictionary, i.e., a list of words. Luckily, hashcat provides one, namely example.dict!

cat example.dict

...
t40210
t41ne
t44dwo00
t45canal
t45h32b
t45oldmx
t467p
t46pxu7
t4a4s9pj
t4auto
t4b4l3t
t4c0
...

Okay, so now, we are all set… let’s run hashcat and see what happens!

./hashcat -m 5500 --show ~/results/smb2_NetNTLMv1.txt example.dict

Administrator::VISTA1:ebb89904e84648e500000000000000000000000000000000:53a70a87921a49e4d50772f32b82a90f9ef0bf5a8e9312a2:f550096e81044aa5:penguin

Nice, now we know that penguin is the password for Administrator!

Conclusion

Don’t forget to reset the plugin configuration for the next tutorial.

t2conf ntlmsspDecode --reset && t2build ntlmsspDecode

Have fun analyzing.