Tutorial: NT LAN Manager (NTLM) Security Support Provider (NTLMSSP)
NTLM NTLMSSP WindowsIntroduction
NT LAN Manager (NTLM) is a Microsoft AAA protocol which has its weaknesses. Hence, we wrote a plugin ntlmsspDecode which extracts some vital info and the hash, which can be cracked.
Preparation
First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins:
t2build -e -y
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied
Then compile the following plugins:
t2build tranalyzer2 basicFlow tcpStates ntlmsspDecode txtSink
...
BUILD SUCCESSFUL
If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:
mkdir ~/data ~/results
The sample PCAP used in this tutorial can be downloaded here: smb2.pcap.
Please save it in your ~/data folder.
Now you are all set for analyzing NTLMSSP traffic!
ntlmsspDecode
Let’s look at the plugin configuration first:
ntlmsspDecode
vi src/ntlmsspDecode.h
...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */
#define NTLMSSP_CLI_CHALL 0 // Output client challenge
#define NTLMSSP_DNS 1 // Output DNS computer/domain/tree name
#define NTLMSSP_NETBIOS 1 // Output NetBIOS computer/domain name
#define NTLMSSP_VERSION 2 // Output format for the version:
// 0: do not output the version
// 1: output the version as string
// 2: output the version as major_minor_build_rev
#define NTLMSSP_SAVE_AUTH_V1 1 // Extract NetNTLMv1 hashes
#define NTLMSSP_SAVE_AUTH_V2 1 // Extract NetNTLMv2 hashes
#define NTLMSSP_SAVE_INFO 0 // Add flow information in the hashes files
#define NTLMSSP_NAME_LEN 64 // Max length for string output
#define NTLMSSP_AUTH_V1_FILE "_NetNTLMv1.txt" // suffix for NetNTLMv1 hashes filename
#define NTLMSSP_AUTH_V2_FILE "_NetNTLMv2.txt" // suffix for NetNTLMv2 hashes filename
/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...Run t2 on the supplied pcap.
t2conf ntlmsspDecode -D NTLMSSP_CLI_CHALL=1 && t2build ntlmsspDecode
t2 -r ~/data/smb2.pcap -w ~/results/================================================================================ Tranalyzer 0.8.14 (Anteater), Tarantula. PID: 30057 ================================================================================ [INF] Creating flows for L2, IPv4, IPv6 Active plugins: 01: basicFlow, 0.8.14 02: tcpStates, 0.8.14 03: ntlmsspDecode, 0.8.14 04: txtSink, 0.8.14 [INF] IPv4 Ver: 5, Rev: 16122020, Range Mode: 0, subnet ranges loaded: 406105 (406.11 K) [INF] IPv6 Ver: 5, Rev: 17122020, Range Mode: 0, subnet ranges loaded: 51345 (51.34 K) Processing file: /home/wurst/data/smb2.pcap Link layer type: Ethernet [EN10MB/1] Dump start: 1131413212.631817 sec (Tue 08 Nov 2005 01:26:52 GMT) Dump stop : 1131413245.234942 sec (Tue 08 Nov 2005 01:27:25 GMT) Total dump duration: 32.603125 sec Finished processing. Elapsed time: 0.001077 sec Finished unloading flow memory. Time: 0.001135 sec Percentage completed: 100.00% Number of processed packets: 1126 (1.13 K) Number of processed bytes: 217593 (217.59 K) Number of raw bytes: 217593 (217.59 K) Number of pcap bytes: 235633 (235.63 K) Number of IPv4 packets: 1126 (1.13 K) [100.00%] Number of A packets: 556 [49.38%] Number of B packets: 570 [50.62%] Number of A bytes: 103832 (103.83 K) [47.72%] Number of B bytes: 113761 (113.76 K) [52.28%] Average A packet load: 186.75 Average B packet load: 199.58 -------------------------------------------------------------------------------- tcpStates: Aggregated tcpStatesAFlags=0x03 ntlmsspDecode: Aggregated ntlmsspStat=0x5f ntlmsspDecode: Number of NTLMSSP packets: 3 [0.27%] ntlmsspDecode: Number of NetNTLMv1 hashes extracted: 1 -------------------------------------------------------------------------------- Headers count: min: 3, max: 3, average: 3.00 Number of TCP packets: 1126 (1.13 K) [100.00%] Number of TCP bytes: 217593 (217.59 K) [100.00%] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Number of processed flows: 2 Number of processed A flows: 1 [50.00%] Number of processed B flows: 1 [50.00%] Number of request flows: 1 [50.00%] Number of reply flows: 1 [50.00%] Total A/B flow asymmetry: 0.00 Total req/rply flow asymmetry: 0.00 Number of processed packets/flows: 563.00 Number of processed A packets/flows: 556.00 Number of processed B packets/flows: 570.00 Number of processed total packets/s: 34.54 Number of processed A+B packets/s: 34.54 Number of processed A packets/s: 17.05 Number of processed B packets/s: 17.48 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Number of average processed flows/s: 0.06 Average full raw bandwidth: 53392 b/s (53.39 Kb/s) Average full bandwidth : 53392 b/s (53.39 Kb/s) Max number of flows in memory: 2 [0.00%] Memory usage: 0.01 GB [0.02%] Aggregated flowStat=0x0400000000004000 [INF] IPv4 flows
So the aggregated ntlmsspStat shows that there is indeed NTLM protocol and it contains negotiate, challenge and authenticate messages. As NTLMSSP_NAME_LEN=64 the ntlmsspCliChallenge hash is truncated, but the full hash is extracted in NTLMSSP_AUTH_FILE besides the flow file.
The ntlmsspStat column with value 0x5f is to be interpreted as follows: bit | ntlmsspStat | Description ============================================================================= 0 | 0x01 | Flow is NTLMSSP 1 | 0x02 | Flow contains Negotiate messages 2 | 0x04 | Flow contains Challenge messages 3 | 0x08 | Flow contains Authenticate messages 4 | 0x10 | NetNTLMv1 hash was extracted for this flow 6 | 0x40 | String output was truncated... increase NTLMSSP_NAME_LEN
If you want to see the full HASH in the flow file increase NTLMSSP_NAME_LEN.
tcol ~/results/smb2_flows.txt
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto tcpStatesAFlags ntlmsspStat ntlmsspTarget ntlmsspDomain ntlmsspUser ntlmsspHost ntlmsspNegotiateFlags ntlmsspSessKey ntlmsspNTProofStr ntlmsspServChallenge ntlmsspVersionMajor_Minor_Build_Rev ntlmsspNbComputer ntlmsspNbDomain ntlmsspDnsComputer ntlmsspDnsDomain ntlmsspDnsTree ntlmsspAttrTarget ntlmsspTimestamp
A 1 0x0400000000004000 1131413212.631817 1131413245.234537 32.602720 1 3 eth:ipv4:tcp 00:0c:29:5c:2e:c7 00:0c:29:30:60:27 0x0800 192.168.114.20 07 "Private network" 49258 192.168.114.129 07 "Private network" 445 6 0x03 0x5b VISTA1 Administrator VISTA1 0xe2888297 ecf0989b0840ad241400e8f985aa11df ebb89904e84648e500000000000000000000000000000000 6_0_5231_15 0.000000
B 1 0x0400000000004001 1131413212.647561 1131413245.234942 32.587381 1 3 eth:ipv4:tcp 00:0c:29:30:60:27 00:0c:29:5c:2e:c7 0x0800 192.168.114.129 07 "Private network" 445 192.168.114.20 07 "Private network" 49258 6 0x03 0x05 VISTA2 0xe28a8215 f550096e81044aa5 6_0_5231_15 VISTA2 VISTA2 vista2 vista2 1131481062.000000As we only used this plugin for troubleshooting and NetNTLM hash extraction, no packet info is produced so far. But in smb2_NetNTLMv1.txt, the important NetNTLM hash is extracted!
cat ~/results/smb2_NetNTLMv1.txt
Administrator::VISTA1:ebb89904e84648e500000000000000000000000000000000:53a70a87921a49e4d50772f32b82a90f9ef0bf5a8e9312a2:f550096e81044aa5Cracking the Hashes
Nice, we have extracted the hash… what’s next? Let’s get cracking!
First, download the latest version of hashcat. (Note that John the Ripper could be used as well.)
wget https://hashcat.net/files/hashcat-6.2.1.tar.gz
tar xzf hashcat-6.2.1.tar.gz
cd hashcat-6.2.1
make
Different hashes require different hashcat -m option, so first, we need to known which type of hash we want to crack… This is actually really easy, as NetNTLMv1 hashes are extracted in the smb2_NetNTLMv1.txt file and NetNTLMv2 hashes are extracted in the smb2_NetNTLMv2.txt file! In our example, we can see that the hash extracted is a NetNTLMv1 hash. Let’s see which -m option we need for NetNTLMv1 hashes:
./hashcat --help | grep NetNTLM
5500 | NetNTLMv1 / NetNTLMv1+ESS | Network Protocols
5600 | NetNTLMv2 | Network ProtocolsOk, so we’ll use -m 5500 (-m 5600 for NetNTLMv2). We also need a dictionary, i.e., a list of words. Luckily, hashcat provides one, namely example.dict!
cat example.dict
...
t40210
t41ne
t44dwo00
t45canal
t45h32b
t45oldmx
t467p
t46pxu7
t4a4s9pj
t4auto
t4b4l3t
t4c0
...Okay, so now, we are all set… let’s run hashcat and see what happens!
./hashcat -m 5500 --show ~/results/smb2_NetNTLMv1.txt example.dict
Administrator::VISTA1:ebb89904e84648e500000000000000000000000000000000:53a70a87921a49e4d50772f32b82a90f9ef0bf5a8e9312a2:f550096e81044aa5:penguinNice, now we know that penguin is the password for Administrator!
Conclusion
Don’t forget to reset the plugin configuration for the next tutorial.
t2conf ntlmsspDecode --reset && t2build ntlmsspDecode
Have fun analyzing.