CyberWolf-Security
  • Home
  • Getting Started in Cyber Security
  • Misc
    • Misc Items
      • Powershell commands
      • Reverse Shells
      • Web Shells
      • File Sharing
      • Useful Commands
      • Google Dorks
      • Proxy & Proxy Chains
      • Port Scanning
      • Intercept Linux CLI Traffic
      • Nessus
    • Frequency stuff
    • Random stuff - needs sorting
  • Services
    • Ports - Services
      • 21 - FTP
      • 22 - SSH
      • 25 - SMTP
      • 69 - TFTP
      • 79 - Finger
      • 88 - Kerberos
      • 123 - NTP
      • 137 - Netbios
      • 161 - SNMP
      • 363 - LDAP
      • 443 - HTTPS
        • IIS
      • 445 - SMB
      • 500 - IKE
      • 623 - IPMI
      • 873 - RSYNC
      • 1433 - MSSQL
      • 1521 - Oracle DB
      • 3389 - RDP
      • 3260 - iSCSI
      • 2049 - NFS
      • 5900 - VNC
      • 5985 - WinRM
      • 6000 - X11
      • 8080 - Jenkins
      • 11211 - Memcached
  • Password Cracking
    • Password attacks
    • Password Cracking
  • Tools
    • Tools
      • Crackmapexec
      • Metasploit
      • Bloodhound
      • Tcpdump
      • Logcat
  • Wireless testing
    • Wireless
      • Converting handshake to .hccapx for Hashcat
      • Cracking WPA/WPA2 hashes
      • Hacking Wireless
      • Get Wireless password from Windows CMD
      • Hotspot
  • Web Application
    • Web App
      • Directory Brute forcing
      • Subdomain brute forcing
      • JWT Tokens
      • GIT
      • Cross-Site Scripting (XSS)
        • Embedded images
        • Payloads
      • WPScan
      • Local File Inclusion (LFI)
      • SQLmap
      • Server Side Template Injection
      • SQL Injection
      • Using Hydra for web brute force
      • Remote Code Execution (RCE)
      • Uploads
      • Subdomain takeover
      • XLS/CSV Injection
      • XML Injection
  • Internals
    • Internals
      • Finding Domain Controllers and DHCP servers
      • Discovering hosts from the inside
      • Dumping domain hashes
      • Active Directory
      • Getting local hashes
      • service principle names (SPNs)
  • Mobile Application
    • Mob App
      • MobApp Testing VM
      • Jailbreaking IOS
      • Tools
        • Frida
        • MobSF
          • Installing MobSF
      • Mobile Application Testing
        • Android
          • Checklist and Methodology
          • ADB
        • IOS
          • Checklist and Methodology
  • Cloud
    • Microsoft Office 365 Security Review
      • Page 1
    • Kubernetes & Docker Review
  • Privilege escalation
    • Windows
      • Tools
      • Unquoted service paths
    • Service Execution
    • Linux
      • Tools
      • Perform a core dump
      • Useful commands
      • Spawn a TTY shell
  • CTF-stuff
    • .Git
  • Steganography
    • Tools
  • Labs / Resources
    • Mitre Caldera
    • Blue-Team
      • Labs
    • Red-Team
      • Vulnerable virtual machines
      • Vulnerable Sites
  • Training
    • Certifications
      • OSCP
      • CEH
      • Crest
        • Crest CPSA
        • Crest CRT
          • Syllabus
          • Appendix B: Core Technical Skills
            • B4 - Network Mapping & Target Identification
            • B5 - Interpreting Tool Output
            • B8 - OS Fingerprinting
            • B9 - Application Fingerprinting and Evaluating Unknown Services
            • B13 - File System Permissions
          • Appendix C: Background Information Gathering & Open Source
            • C2 - Domain Name Server (DNS)
          • Appendix D: Networking Equipment
            • D1 - Management Protocols
            • D3 - Networking Protocols
          • Appendix E: Microsoft Windows Security Assessment
            • E1 - Domain Reconnaissance
            • E2 - User Enumeration
            • E3 - Active Directory
            • E5 - Windows Vulnerabilities
            • E9 - Common Windows Applications
          • Appendix F: Unix Security Assessment
            • F1- User enumeration
            • F2 - Unix vulnerabilities
            • F3 - FTP
            • F4 - Sendmail / SMTP
            • F5 - Network File System (NFS)
            • F6 - R* services
            • F7 - X11
            • F8 - RPC services
            • F9 - SSH
          • Appendix G: Web Technologies
            • G1 - Web Server Operation
            • G2 - Web Servers & their Flaws
            • G4 - Web Protocols
            • G7 - Web Application Servers
          • Appendix I: Web Testing Techniques
            • I1 - Web Site Structure Discovery
            • I2 - Cross Site Scripting Attacks
            • I3 - SQL Injection
            • I6 - Parameter Manipulation
          • Appendix J: Databases
            • J1 - Microsoft SQL Server
            • J2 - Oracle RDBMS
            • J3 - Web / App / Database Connectivity
      • Study Material
        • Encryption
    • Terminology
      • NTLM & NTLM2
  • Vulnerabilities
    • Vulnerabilities
  • Exploits
    • ImageMagick
    • CVE-2021-3560 (PolKit)
  • Bug Bounty
    • Bug Bounty Programs
    • Sub Domain Finder
    • link dump
  • FAQ
    • Install ALFA AWUS1900 on Kali
    • Update and upgrade Linux
  • Build Review
    • Workstation
  • Hack the Box
    • Challenges
      • The Needle
Powered by GitBook
On this page

Was this helpful?

  1. Training
  2. Terminology

NTLM & NTLM2

PreviousTerminologyNextVulnerabilities

Last updated 2 years ago

Was this helpful?

NTLM hashes are stored in the Security Account Manager (SAM) database and in Domain Controller's NTDS.dit database. They look like this:

aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42
              LM                :             NT

Contrary to what you'd expect, the LM hash is the one before _the semicolon and the NT hash is the one _after the semicolon. Starting with Windows Vista and Windows Server 2008, by default, only the NT hash is stored.

Net-NTLM hashes are used for network authentication (they are derived from a challenge/response algorithm and are based on the user's NT hash). Here's an example of a Net-NTLMv2 (a.k.a NTLMv2) hash:

admin::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966a153a0064958dac6:5c7830315c7830310000000000000b45c67103d07d7b95acd12ffa11230e0000000052920b85f78d013c31cdb3b92f5d765c783030

From a pentesting perspective:

  • You CAN perform Pass-The-Hash attacks with NTLM hashes.

  • You CANNOT perform Pass-The-Hash attacks with Net-NTLM hashes. However, tehy can be used to perfom relay attacks.

You get NTLM hashes when dumping the SAM database of any Windows OS, a Domain Controller's NTDS.dit database or from MimikatzMimikatz (Fun fact, although you can't get clear-text passwords from Mimikatz on Windows >= 8.1 you can get NTLM hashes from memory). Some tools just give you the NT hash (e.g. ) and that's perfectly fine: obviously you can still Pass-The-Hash with just the NT hash.

You get Net-NTLMv1/v2 (a.k.a NTLMv1/v2) hashes when using tools like Responder or Inveigh.

References

https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html