Cityscape
Girl
logo

Fundamentals of Penetration Testing

NTLM authentication, SAM database and hash stealing

Medium
30 min

Authentication in Windows environment is quite versatile. The two most common authentication methods are NTLM and Kerberos. We will discuss Kerberos in another scenario, now we will focus on NTLM.

NTLM

NTLM (NT Lan Manager) is an authentication protocol on Windows that works roughly as follows:

  • The client sends a NtlmNegotiate message in which Jaska states that he would like to authenticate. "Hello, I would like to authenticate."
  • The server responds with an NtlmChallenge message, in which it presents a challenge. "If you really are who you claim to be, then prove it. I know your password, what is it? Oh wait, it shouldn't be sent over the network so that it doesn't fall into the wrong hands... Hey, I've got an idea! I know the NTLM hash of your password. Well, here's the challenge: ABC123. Encrypt your password with its hash and send it back. I will also encrypt it with the hash of your password and compare them. If they are the same, you have proven that you have the password, or well at least the hash."
  • The client responds with the NtlmAuthenticate message, which includes both the response to the requested challenge and the encrypted session key (EncryptedSessionKey), allowing the authenticated connection to continue now.

Example in Wireshark: Over NTLM SMB

A very typical scenario in a Windows network is to authenticate to an SMB file share using the NTLM protocol.

Local Login: SAM database

When logging into a Windows server (or workstation) with a local account, the NTLM hash is verified against the SAM database.

In the Windows operating system, there is a database called SAM (Security Accounts Manager), which is responsible for managing user accounts and storing user-related information in a local database.

When a user attempts to log in to a computer, the Windows operating system uses the SAM database to check if the provided username and password match the stored information. If the information is correct, the user is granted access to the computer.

The SAM Database also determines which user accounts are system administrators and which users have restricted access to the computer.

Domain Logon: Pass-through authentication to the domain controller

Typically in a company network, Windows machines are part of a domain controlled by a domain controller. If someone tries to log into a server using NTLM, but the user is not a local user on the server but rather a domain user, the server itself does not know the user's password and cannot verify the correctness of the challenge-response. In such a case, the server passes the response forward to the domain controller ("pass through authentication").

You can log in with just the NTLM hash

It is noteworthy that in NTLM authentication, the clear-text password is not actually sent or used. Everything happens with an NTLM hash, which is a digest derived from the password.

Attacks where an attacker has gained possession of such an NTLM hash and has logged into domain machines where the password has been accepted, historically have been referred to as "Pass the Hash" (PtH) attacks.

Same password = Same hash = Same user

It is also worth noting that if the user uses the same password on two different servers, the hash is also the same, and it can be used to log in to both servers.

Let's take an example.

  • evilcorp.local uses the same password for the local Administrator user on all servers. The password is "kissa123" and its hash is "ABAAF1E2DEBF7362E046820DB495ACFE".
  • An attacker breaches the A.evil.local server and steals the NTLM hash (ABAAF1E2DEBF7362E046820DB495ACFE) from the server's local SAM database.
  • The attacker logs in to the B.evil.local server using the username "Administrator" and the hash ABAAF1E2DEBF7362E046820DB495ACFE.
  • The attacker also gains control of the B.evil.local server.
  • The attacker repeats this to every server where the hash is valid.

Empty LM hash

In ancient times, Windows used the weaker LM (LanMan) hash instead of NTLM. It is no longer used in modern Windows networks. Instead of the LM hash, there is a "empty LM hash" with a value of AAD3B435B51404EEAAD3B435B51404EE. So, don't be confused when you see tools outputting both LM and NTLM hashes. The LM hash is almost always the mentioned "aad3b..." starting value, which means that the LM hash is not actually in use.

Stealing SAM Database with Meterpreter

In Metasploit, there is a Meterpreter command hashdump that reads and parses the SAM database from the server's disk, extracts the users and their LM and NTLM digests, and outputs them.

Exercise

Run the meterpreter "hashdump" command and find out the NTLM hash of the Administrator user. It is also recommended to create a new node in CherryTree (e.g. Servers/IIS1) and record the users and hashes.

What is the NTLM hash of the Administrator user password on the IIS server?

Evilcorp - Scenario 1

This is a scenario, please do not unnecessarily close it within the same course area (Scenario 1) so that you do not lose your progress. Please add time if necessary. It may take a few minutes for the scenario to start, please wait patiently.

hakatemia pro

Ready to become an ethical hacker?
Start today.

As a member of Hakatemia you get unlimited access to Hakatemia modules, exercises and tools, and you get access to the Hakatemia Discord channel where you can ask for help from both instructors and other Hakatemia members.