Skip to content

WMkick is a TCP protocol redirector/MITM tool that targets NTLM authentication message flows in WMI (135/tcp) and Powershell-Remoting/WSMan/WinRM (5985/tcp) to capture NetNTLMv2 hashes.

KoreLogicSecurity/wmkick

Repository files navigation

Table of Contents

  Section 1 .................... Overview
  Section 2 .................... Documentation
  Section 3 .................... License
  Section 4 .................... References

1 Overview

  WMkick is a TCP protocol redirector/MITM tool that targets NTLM
  authentication message flows in WMI (135/tcp) and
  Powershell-Remoting/WSMan/WinRM (5985/tcp) to capture NetNTLMv2
  hashes. Once a hash has been captured, popular cracking tools such
  as Hashcat and JtR can be used to recover plaintext passwords.
  WMkick automates the hash extraction process and alleviates the
  need to build/use a WMI (or WSMAN) Auth Server or perform manual
  packet analysis.

  A use case for WMkick is for internal penetration tests.  If the
  penetration tester can redirect these protocols to their own
  Windows virtual machine or remote target hosting WMI or WSMan
  services, it is possible to obtain a valid NetNTLMv2 hash, which
  can be cracked into a plaintext credential, in order to go from
  a non-credentialed to credentialed perspective.  A possible
  situation that may be observed in the target environment is
  software or administrative scripts running remote WMI or WSMan
  commands over a subnet in which wmkick is running, the attacker
  may take advantage of this.

2 Documentation

  See README.INSTALL for requirements and instructions on how to
  build, test, and install this software.

3 License

  The terms and conditions under which this software is released are
  set forth in README.LICENSE.

4 References

  The NT LAN Manager (NTLM) Authentication Protocol is documented
  here:

    https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-NLMP/%5bMS-NLMP%5d.pdf

About

WMkick is a TCP protocol redirector/MITM tool that targets NTLM authentication message flows in WMI (135/tcp) and Powershell-Remoting/WSMan/WinRM (5985/tcp) to capture NetNTLMv2 hashes.

Resources

Stars

Watchers

Forks

Packages

No packages published