Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Grab the Net-NTLM hash before closing an NLA connection #358

Closed
obilodeau opened this issue Sep 3, 2021 · 0 comments · Fixed by #367
Closed

Grab the Net-NTLM hash before closing an NLA connection #358

obilodeau opened this issue Sep 3, 2021 · 0 comments · Fixed by #367
Labels
enhancement New feature or request
Milestone
v1.3.0

Comments

@obilodeau
Copy link
Collaborator

We know that Responder is able to dump Net-NTLMv2 hashes even if it doesn't fully support RDP.

This means that if we pursue the handshake even if we know we can't finish the connection, we can at least grab the hash and log it.

A stretch goal would be: if we manage to crack the hash, we know we could MITM NLA because we could then create a new challenge-response on the server side. If I recall correctly the only thing preventing us from doing that was that part of the challenge response mixed the plaintext password (which we don't know) with the server's public/private/fingerprint (not sure which) and that the server would reject anything tampered. We couldn't do the double diffie-hellman trick because of the mixing of both these layers. If we have the password, we can truly do an NLA handshake in the middle. This would open up a new attack use case. Note that I'm half intentionally vague here.

Tagging @danielsantos1234.
@obilodeau obilodeau added the enhancement New feature or request label Sep 3, 2021
@obilodeau obilodeau added this to the v1.3.0 milestone Sep 3, 2021
@lubiedo lubiedo linked a pull request Nov 11, 2021 that will close this issue
(#358) Catch NTLM hash if non-SSP authentication #367
Merged
obilodeau added a commit that referenced this issue Nov 26, 2021
@lubiedo @obilodeau
Capture the NetNTLM hash if server enforces NLA (#367)
25b3ee0 
If we don't use the NLA redirection feature and the server doesn't support downgrade attacks then the best we can do is steal the hash. Some ASN.1 BER improvements were required as well.

Fixes #358

Co-authored-by: Olivier Bilodeau <obilodeau@gosecure.net>
@obilodeau obilodeau mentioned this issue Nov 26, 2021
Open
@obilodeau obilodeau mentioned this issue Jan 5, 2022
Closed
obilodeau added a commit to alxbl/pyrdp that referenced this issue Jan 6, 2022
@lubiedo @obilodeau
Capture the NetNTLM hash if server enforces NLA (GoSecure#367)
24f3477 
If we don't use the NLA redirection feature and the server doesn't support downgrade attacks then the best we can do is steal the hash. Some ASN.1 BER improvements were required as well.

Fixes GoSecure#358

Co-authored-by: Olivier Bilodeau <obilodeau@gosecure.net>
obilodeau added a commit that referenced this issue Jan 17, 2022
@lubiedo @obilodeau
Capture the NetNTLM hash if server enforces NLA (#367)
d8408a8 
If we don't use the NLA redirection feature and the server doesn't support downgrade attacks then the best we can do is steal the hash. Some ASN.1 BER improvements were required as well.

Fixes #358

Co-authored-by: Olivier Bilodeau <obilodeau@gosecure.net>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
v1.3.0
Development

Successfully merging a pull request may close this issue.

(#358) Catch NTLM hash if non-SSP authentication lubiedo/pyrdp
1 participant
@obilodeau