There are some inaccuracies in this video. One being that the protocol described as NTLM isn’t NTLM. It’s NetNTLM (and NTLMv2) NetNTLM is a challenge response protocol. NTLM is a hashing algorithm. When you’re relaying these hashes they aren’t NTLM hashes. They’re NetNTLM/v2 hashes. If you were getting NTLM hashes off the wire that means something is grossly misconfigured somewhere and since NTLM is passable you wouldn’t need time sensitive relays to get around NetNTLM timers. You can also get a list of targets without SMB signing enabled with CME in just seconds. You don’t have to use a big loud tool like Nessus. Just use the --gen-relay-list option. It’ll even spit the targets out into a text file for you that you can use with ntlmrelayx.
Ok. Let’s hit this. NT is a straight MD5 hash of a password. LANMAN is a DES encryption of the string KGS!@#$% with the password converted to upper case and split to two seven character strings. LANMAN authentication is the hash being sent but wrapped in a 16 byte challenge. NTLM is the exact same as LM but it uses the NT hash. NetNTLMv2 is very, very different. And, all their hashes are different when captured on the wire. In fact, some are not hashes at all, but we call them that to simplify. Password representation formats just does not roll of the lips as well. There are actually only two password representation formats stored on windows for the OS NT and LANMAN. So, you are actually a wee bit off yourself. But that is ok, as it is a common misconception and some of us old farts could have done better clearing things up for you all.
the "fork" for responder is by the original author, who just happened to work at spiderlabs in the past. the spiderlabs version should be thrown in the trash
I like the material, but I really struggle with her teaching style as she really seems nervous. I think she is still new though to the field, right? If so, then it will get better with time. Cheers
hello. i was waiting for this. i am glad you finnaly released. i was think someone lost the recorded video of the live. Thank you.
Not lost, just was waiting in line behind other projects. Better late than never!
There are some inaccuracies in this video. One being that the protocol described as NTLM isn’t NTLM. It’s NetNTLM (and NTLMv2) NetNTLM is a challenge response protocol. NTLM is a hashing algorithm. When you’re relaying these hashes they aren’t NTLM hashes. They’re NetNTLM/v2 hashes. If you were getting NTLM hashes off the wire that means something is grossly misconfigured somewhere and since NTLM is passable you wouldn’t need time sensitive relays to get around NetNTLM timers.
You can also get a list of targets without SMB signing enabled with CME in just seconds. You don’t have to use a big loud tool like Nessus. Just use the --gen-relay-list option. It’ll even spit the targets out into a text file for you that you can use with ntlmrelayx.
Ok. Let’s hit this. NT is a straight MD5 hash of a password. LANMAN is a DES encryption of the string KGS!@#$% with the password converted to upper case and split to two seven character strings. LANMAN authentication is the hash being sent but wrapped in a 16 byte challenge. NTLM is the exact same as LM but it uses the NT hash. NetNTLMv2 is very, very different. And, all their hashes are different when captured on the wire. In fact, some are not hashes at all, but we call them that to simplify. Password representation formats just does not roll of the lips as well.
There are actually only two password representation formats stored on windows for the OS NT and LANMAN.
So, you are actually a wee bit off yourself. But that is ok, as it is a common misconception and some of us old farts could have done better clearing things up for you all.
Serena content is always excellent content
Thanks!
Thank you ❤
This is REALLY useful.
Thanks Serena!
Very useful. Thanks.
the "fork" for responder is by the original author, who just happened to work at spiderlabs in the past. the spiderlabs version should be thrown in the trash
I didnt know this! thanks :)
So many edits.
I like the material, but I really struggle with her teaching style as she really seems nervous. I think she is still new though to the field, right? If so, then it will get better with time. Cheers