Live off the Land and Crack the NTLMSSP Protocol

Last month Bleeping Computer published an article about PKTMON.EXE, a little known utility in Windows 10 that provides the ability to sniff and monitor network traffic.  I quickly wondered if it would be feasible to use this utility, and other native tools within Windows, to capture NTLMv2 network authentication handshakes.

TL;DR: Yes it is possible and I wrote a Python3 script called NTLMRawUnHide that can extract NTLMv2 password hashes from packet dumps of many formats!

What is NTLMv2 authentication and why is it important?

NTLMv2 - sometimes referred to as Net-NTLMv2 - is a challenge / response hashing algorithm that is used on Windows networks.  Other network authentication protocols exist for Windows Active Directory - most notably Kerberos - but NTLMv2 is still widely used on today's organizational networks.  As such, many tools in contemporary penetration testing focus on intercepting NTLMv2 authentication handshakes, which can be assembled into crackable password hashes or relayed to other hosts on a network to gain access without the need to crack hashes.  The most infamous of these tools is Responder, which has been a staple in the penetration testing arsenal for many years.

Live off the Land and Capture Packets in Windows

There are two tools within Windows that provide native packet capture capabilities, PKTMON.EXE and NETSH.EXE.  Both utilities output .ETL files, which are structured differently than the more popular .PCAP and .PCAPNG files generated by tcpdump and other open source network sniffers. The following describes how to use each tool to capture network traffic.  We will focus on port 445, which is used to access network resources over the SMB (a.k.a. CIFS) protocol.

:: Capture packets with NETSH.EXE
netsh.exe trace start persistent=yes capture=yes TCP.AnyPort=445 tracefile=C:\Users\Public\capture.etl
netsh.exe trace stop

:: Capture packets with PKTMON.EXE
pktmon.exe filter add SMB -p 445
:: List all filters 
pktmon.exe filter list
:: Find id of the network adapter (example > Id: 9)
pktmon.exe comp list
:: pktmon.exe start --etw -p 0 -c [Adapter ID] -l real-time
:: Note: The real-time option is new in Windows 10 2004, and isn't required
pktmon.exe start --etw -p 0 -c 9 -l real-time
:: Will create the file PktMon.etl in current directory
pktmon.exe stop
:: Cleanup
pktmon.exe filter remove

One reason I developed NTLMRawUnHide was that I had a difficult time converting .ETL files into a .PCAP format.  While there are tools, such as Microsoft's etl2pcapng, that attempt to convert .ETL files to easier to work with formats, I didn't have much luck getting these to work for my purposes.  It's possible to convert .ETL files to .CAP files using Microsoft Network Monitor 3.4, and .CAP files are supported by WireShark, but the parsing capability is not as robust as when working with .PCAP/.PCAPNG files.  WireShark does provide the editcap utility to convert .CAP files to .PCAP, but received an error when attempting to convert the packet dumps. (In Windows 10 2004, PKTMON.EXE now supports native output to .PCAPNG format!)

So, instead of attempting to convert the format of these packet trace files, I instead I decided to dive into the NTLMSSP protocol, determine how the binary packets could be parsed and write a tool to retrieve password hashes.

Dissecting NTLMv2 Network Authentication

The absolute most useful link I found on the topic was The NTLM Authentication Protocol and Security Support Provider.  If you are really interested in the specifics of how NTLMSSP works and the structure of the protocol packets, it's the best resource on the internet.  Without it, I likely wouldn't have been able to (easily) produce this tool.

NTLMSSP - or the NT Lan Manage Security Support Provider - is a challenge response network authentication protocol.

There are three message types that go into each NTLMSSP authentication handshake, which all conveniently begin with the NULL terminated ASCII string "NTLMSSP".

Message Type 1: Negotiation

The Type 1 message is sent from the client to the server to initiate NTLM authentication.  For our purposes, it doesn't contain any useful data for assembling a crackable NTLMv2 hash.  Type 1 messages may contain the Workstation and Domain, but these points can be retrieved later in the handshake.

We can identify this message type through the following message header:

NTLMSSP\x00 0x01000000

Message Type 2: Challenge

The Type 2 message is sent from the server to the client, as response to the Type 1 message.  The Type 2 message also provides a "server challenge" to the client, which is used to prepare the Type 3 message that completes the handshake.

We can identify this message type through the following message header:

NTLMSSP\x00 0x02000000

The server challenge is the first piece of data required to assemble the crackable NTLMv2 hash, and is an 8 byte block of random data located between bytes 24 and 32 offset from the Type 2 message start.

Message Type 3: Authentication

The Type 3 message is sent from client to server, and is the final step in the authentication handshake.  Type 3 messages contain the client response to the server challenge, demonstrating that the client hash knowledge of the account password without actually sending the password or NTLM password hash directly.  Type 3 messages also include the authentication target, namely the Username and Domain, as well as the Workstation.

We can identify this message type through the following message header:

NTLMSSP\x00 0x03000000

To assemble a crackable NTLMv2 password hash, the following fields are required.  The table describes how to determine the length and byte offset of each field within the NTLMSSP message.

Building Crackable NTLMv2 Hashes

If you are familiar working with tools like Responder, you may already be visually used to seeing NTLMv2 hashes, but may not know the individual fields that build a crackable hash.  John the Ripper and Hashcat require NTLMv2 hashes in the following format:

Using NTLMRawUnHide to Uncover NTLMv2 Hashes

With the NTLMSSP protocol decoded, I developed the Python3 script NTLMRawUnhide.py to parse binary network packet capture files, and extract NTLMv2 hashes in a crackable format.  Since we are analyzing the raw binary data, the file format doesn't matter, so the tool can analyze .ETL, .CAP, .PCAP, and .PCAPNG files.  With this tool, output generated by native Windows LOLBins (NETSH.EXE and PKTMON.EXE) can be analyzed without conversion.  The tool itself doesn't require any non-native Python3 modules, so it should be quite portable and easy to run anywhere. Using NTLMRawUnHide, packet dumps can be analyzed offline, or in real time.

This video demonstrates NTLMRawUnHide in action.  I captured this from a VM running Windows 10.  NTLMRawUnHide is running within Kali Linux running within WSL, and set to follow a packet trace generated by NETSH.EXE listening to port 445 / SMB.  SMB was chosen for this video since it will use NTLMv2 authentication, but remember that other Windows remote management protocols (e.g. WMI) also use NTLMv2 authentication.

The video shows NTLMv2 hashes being captured in real time and output to a file, which can be cracked at a later time.  Please be aware, there is no requirement to run NTLMRawUnHide within Windows 10.  It was easier for video recording to capture the whole process in a single window.  Packet captures can be transferred to a remote host and analyzed as a standalone file or in real time.

You can download the tool, as well as example packet captures in various formats, on the project's GitHub page.  I am exploring adding NTLM authentication relaying to the tool, which I may add into a future version of NTLMRawUnHide.

If you find this tool useful for penetration testing, red teaming, or anything else, drop me a line or send me a Tweet and let me know!