Captured NTLMv2 hash
From linux
We should start Responder and let it run for a while in a tmux window while we perform other enumeration tasks to maximize the number of hashes that we can obtain. Once we are ready, we can pass these hashes to Hashcat using hash mode 5600 for NTLMv2 hashes that we typically obtain with Responder. We may at times obtain NTLMv1 hashes and other types of hashes, and can consult the Hashcat example hashes page to identify them and find the proper hash mode. If we ever obtain a strange or unknown hash, this site is a great reference to help identify it.
Cracking an NTLMv2 Hash With Hashcat
From windows
Inveigh - powershell version
InveighZero - C# version
# run powershell as Admin
.\Inveigh.exe -Sniffer N
> Press ESC to enter/exit interactive console
>> HELP
>> GET NTLMV2UNIQUE
>> GET NTLMV2USERNAMES
Tools
Tool | Description |
---|---|
Responder | Responder is a purpose-built tool to poison LLMNR, NBT-NS, and MDNS, with many different functions. |
Inveigh | Inveigh is a cross-platform MITM platform that can be used for spoofing and poisoning attacks. |
Metasploit | Metasploit has several built-in scanners and spoofing modules made to deal with poisoning attacks. |