Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Identify good Net-NTLMSSP hashes #398

Open
obilodeau opened this issue Apr 1, 2022 · 2 comments
Open

Identify good Net-NTLMSSP hashes #398

obilodeau opened this issue Apr 1, 2022 · 2 comments

Comments

@obilodeau
Copy link
Collaborator

Did some tests today. There would be a way to identify "valid" Net-NTLM hashes from invalid ones and highlight the difference in the logs (we should keep the bad ones still because they might give hint on other types of creds).

Invalid:

[2022-04-01 19:57:11,741] - INFO - Raul666206 - pyrdp.mitm.connections.ntlmssp - [!] NTLMSSP Hash: Administrator::WINDEV2202EVAL:9dd5d54c8bf1511b:197477fd4b8c3dafd9e4ec30bc23d4d8:01010000000000004c652fad0246d8012daf35537830b9e20000000002001e0045004300320041004d0041005a002d0042004d0043004e0044004c00440001001e0045004300320041004d0041005a002d0042004d0043004e0044004c00440004001e0045004300320041004d0041005a002d0042004d0043004e0044004c00440003001e0045004300320041004d0041005a002d0042004d0043004e0044004c004400070008004c652fad0246d80106000400020000000800300030000000000000000100000000200000aa7bda98074961e32a772956fc333f299ea334916141e5e9f1bdf09b597f19680a00100000000000000000000000000000000000090034005400450052004d0053005
 other side was lost in a non-clean fashion: Connection lost.

Valid:

[2022-04-01 19:57:22,746] - INFO - Maurice363590 - pyrdp.mitm.connections.ntlmssp - [!] NTLMSSP Hash: Administrator::WINDEV2202EVAL:e13c59bf4301d80e:0025583f160cdbd3463279b015b3d87a:01010000000000007de4bdb30246d801112e33ba831cbefe0000000002001e0045004300320041004d0041005a002d0042004d0043004e0044004c00440001001e0045004300320041004d0041005a002d0042004d0043004e0044004c00440004001e0045004300320041004d0041005a002d0042004d0043004e0044004c00440003001e0045004300320041004d0041005a002d0042004d0043004e0044004c004400070008007de4bdb30246d80106000400020000000800300030000000000000000100000000200000aa7bda98074961e32a772956fc333f299ea334916141e5e9f1bdf09b597f19680a00100000000000000000000000000000000000090034005400450052004d005300520056002f006d0079002d007300650072007600650072002e0067006f007300650063002e0063006f000000000000000000
[2022-04-01 19:57:23,770] - INFO - Maurice363590 - pyrdp.mitm.connections.tcp - Server connection closed. [('SSL routines', 'ssl3_read_bytes', 'tlsv1 alert internal error')]

We could probably make that distinction by looking at the protocol packets back from the server.

@lubiedo
Copy link
Contributor

lubiedo commented Jul 15, 2022

By valid you mean NTLM hashes that were used in a successful login?

@obilodeau
Copy link
Collaborator Author

By valid you mean NTLM hashes that were used in a successful login?

Yes, exactly

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants