Tutorial: NT LAN Manager (NTLM) Security Support Provider (NTLMSSP)

NT LAN Manager (NTLM) is a Microsoft AAA protocol which has its weaknesses. Hence, we wrote a plugin ntlmsspDecode which extracts some vital info and the hash, which can be cracked.

Preparation

Before we start we need to prepare T2. If you did not complete the tutorials before just follow the procedure described below.

First I recommend to set T2 into a pristine state by removing all unnecessary or older plugins from the default plugin folder ~/.tranalyzer/plugins. Just as a precaution if you have some old plugins or files there. If you like to keep them, please copy them away.

$ t2build -e
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? y
Plugin folder emptied
$

Then compile the following plugins

$ t2build tranalyzer2 basicFlow ntlmsspDecode tcpStates txtSink
...
BUILD SUCCESSFUL

$

If you did not create a separate data and results directory yet, please do it now in another cmd window, it facilitates your workflow:

$ mkdir ~/data ~/results
$

Download the sample pcap here: smb2.pcap. Now you’re all set.

ntlmsspDecode

Let’s look at the plugin configuration first:

$ ntlmsspDecode
$ vi src/ntlmsspDecode.h

Run t2 on the supplied pcap.

$ t2conf ntlmsspDecode -D NTLMSSP_CLI_CHALL=1 && t2build ntlmsspDecode
...
$ t2 -r ~/data/smb2.pcap -w ~/results/
================================================================================
Tranalyzer 0.8.10 (Anteater), Tarantula. PID: 58770
================================================================================
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
    01: basicFlow, 0.8.10
    02: tcpFlags, 0.8.10
    03: tcpStates, 0.8.10
    04: txtSink, 0.8.10
[INF] IPv4 Ver: 5, Rev: 16122020, Range Mode: 0, subnet ranges loaded: 406077 (406.08 K)
[INF] IPv6 Ver: 5, Rev: 17122020, Range Mode: 0, subnet ranges loaded: 51069 (51.07 K)
Processing file: /home/wurst/data/smb2.pcap
Link layer type: Ethernet [EN10MB/1]
Dump start: 1131413212.631817 sec (Tue 08 Nov 2005 01:26:52 GMT)
Dump stop : 1131413245.234942 sec (Tue 08 Nov 2005 01:27:25 GMT)
Total dump duration: 32.603125 sec
Finished processing. Elapsed time: 0.000640 sec
Finished unloading flow memory. Time: 0.000681 sec
Percentage completed: 100.00%
Number of processed packets: 1126 (1.13 K)
Number of processed bytes: 217593 (217.59 K)
Number of raw bytes: 217593 (217.59 K)
Number of pcap bytes: 235633 (235.63 K)
Number of IPv4 packets: 1126 (1.13 K) [100.00%]
Number of A packets: 556 [49.38%]
Number of B packets: 570 [50.62%]
Number of A bytes: 103832 (103.83 K) [47.72%]
Number of B bytes: 113761 (113.76 K) [52.28%]
Average A packet load: 186.75
Average B packet load: 199.58
--------------------------------------------------------------------------------
tcpStates: Aggregated tcpStatesAFlags=0x03
ntlmsspDecode: Aggregated ntlmsspStat=0x4f
ntlmsspDecode: Number of NTLMSSP packets: 3 [0.27%]
ntlmsspDecode: Number of NetNTLMv1 hashes extracted: 1
--------------------------------------------------------------------------------
Headers count: min: 3, max: 3, average: 3.00
Number of TCP packets: 1126 (1.13 K) [100.00%]
Number of TCP bytes: 217593 (217.59 K) [100.00%]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of processed   flows: 2
Number of processed A flows: 1 [50.00%]
Number of processed B flows: 1 [50.00%]
Number of request     flows: 1 [50.00%]
Number of reply       flows: 1 [50.00%]
Total   A/B    flow asymmetry: 0.00
Total req/rply flow asymmetry: 0.00
Number of processed   packets/flows: 563.00
Number of processed A packets/flows: 556.00
Number of processed B packets/flows: 570.00
Number of processed total packets/s: 34.54
Number of processed A+B   packets/s: 34.54
Number of processed A     packets/s: 17.05
Number of processed   B   packets/s: 17.48
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of average processed flows/s: 0.06
Average full raw bandwidth: 53392 b/s (53.39 Kb/s)
Average full bandwidth : 53392 b/s (53.39 Kb/s)
Max number of flows in memory: 2 [0.00%]
Memory usage: 0.01 GB [0.02%]
Aggregated flowStat=0x0400000000004000
[INF] IPv4 flows

So the aggregated ntlmsspStat shows that there is indeed NTLM protocol and it contains negotiate, challenge and authenticate messages. As NTLMSSP_NAME_LEN=64 the ntlmsspCliChallenge hash is truncated, but the full hash is extracted in NTLMSSP_AUTH_FILE besides the flow file.

$ tawk -V ntlmsspStat=0x4f
The ntlmsspStat column with value 0x4f is to be interpreted as follows:

   bit | ntlmsspStat | Description
   =============================================================================
     0 | 0x01        | Flow is NTLMSSP
     1 | 0x02        | Flow contains Negotiate messages
     2 | 0x04        | Flow contains Challenge messages
     3 | 0x08        | Flow contains Authenticate messages
     6 | 0x40        | String output was truncated... increase NTLMSSP_NAME_LEN

If you want to see the full HASH in the flow file increase NTLMSSP_NAME_LEN.

$ cd ~/results
$ tcol smb2_flows.txt
%dir  flowInd  flowStat            timeFirst          timeLast           duration   numHdrDesc  numHdrs  hdrDesc       srcMac             dstMac             ethType  ethVlanID  srcIP            srcIPCC  srcIPOrg           srcPort  dstIP            dstIPCC  dstIPOrg           dstPort  l4Proto  tcpStatesAFlags  ntlmsspStat  ntlmsspTarget  ntlmsspDomain  ntlmsspUser    ntlmsspHost  ntlmsspNegotiateFlags  ntlmsspSessKey                    ntlmsspNTProofStr                                 ntlmsspServChallenge  ntlmsspCliChallenge                               ntlmsspVersionMajor_Minor_Build_Rev  ntlmsspNbComputer  ntlmsspNbDomain  ntlmsspDnsComputer  ntlmsspDnsDomain  ntlmsspDnsTree  ntlmsspAttrTarget  ntlmsspTimestamp
A     1        0x0400000000004000  1131413212.631817  1131413245.234537  32.602720  1           3        eth:ipv4:tcp  00:0c:29:5c:2e:c7  00:0c:29:30:60:27  0x0800              192.168.114.20   07       "Private network"  49258    192.168.114.129  07       "Private network"  445      6        0x03             0x5b                        VISTA1         Administrator  VISTA1       0xe2888297             ecf0989b0840ad241400e8f985aa11df  ebb89904e84648e500000000000000000000000000000000                        53a70a87921a49e4d50772f32b82a90f9ef0bf5a8e9312a2  6_0_5231_15                                                                                                                                       0.000000
B     1        0x0400000000004001  1131413212.647561  1131413245.234942  32.587381  1           3        eth:ipv4:tcp  00:0c:29:30:60:27  00:0c:29:5c:2e:c7  0x0800              192.168.114.129  07       "Private network"  445      192.168.114.20   07       "Private network"  49258    6        0x03             0x05         VISTA2                                                    0xe28a8215                                                                                                 f550096e81044aa5                                                        6_0_5231_15                          VISTA2             VISTA2           vista2              vista2                                               1131481062.000000

As we only used this plugin for troubleshooting and NetNTLM hash extraction, no packet info is produced so far. But in smb2_ntlmssp_auth.txt the important NetNTLM Hash is extracted.

$ cat smb2_ntlmssp_auth.txt
# Flow 1
# NetNTLMv1
Administrator::VISTA1:ebb89904e84648e500000000000000000000000000000000:53a70a87921a49e4d50772f32b82a90f9ef0bf5a8e9312a2:f550096e81044aa5
$

Cracking the Hashes

Nice, we have extracted the hash… what’s next? Let’s get cracking!

First, download the latest version of hashcat. (Note that John the Ripper could be used as well.)

$ wget https://hashcat.net/files/hashcat-6.2.1.tar.gz
$ tar xzf hashcat-6.2.1.tar.gz
$ cd hashcat-6.2.1
$ make
...
$

Different hashes require different hashcat -m option, so first, we need to known which type of hash we want to crack… This is specified before each hash in the smb2_ntlmssp_auth.txt file. In our example, we can see that the hash extracted is a NetNTLMv1 hash. Let’s see which -m option we need for NetNTLMv1 hashes:

$ ./hashcat --help | grep NetNTLM
   5500 | NetNTLMv1 / NetNTLMv1+ESS                        | Network Protocols
   5600 | NetNTLMv2                                        | Network Protocols
$

Ok, so we’ll use -m 5500 (-m 5600 for NetNTLMv2). We also need a dictionary, i.e., a list of words. Luckily, hashcat provides one, namely example.dict!

$ cat example.dict
...
t40210
t41ne
t44dwo00
t45canal
t45h32b
t45oldmx
t467p
t46pxu7
t4a4s9pj
t4auto
t4b4l3t
t4c0
...
$

Okay, so now, we are all set… let’s run hashcat and see what happens!

$ ./hashcat -m 5500 --show ~/results/smb2_ntlmssp_auth.txt example.dict
Administrator::VISTA1:ebb89904e84648e500000000000000000000000000000000:53a70a87921a49e4d50772f32b82a90f9ef0bf5a8e9312a2:f550096e81044aa5:penguin
$

Nice, now we know that penguin is the password for Administrator!

Don’t forget to reset the plugin configuration for the next tutorial.

$ t2conf ntlmsspDecode --reset && t2build ntlmsspDecode
...
$

Have fun analyzing.