NTLMv1 Downgrade

• https://github.com/NotMedic/NetNTLMtoSilverTicket

• https://www.praetorian.com/blog/ntlmv1-vs-ntlmv2/

• https://www.trustedsec.com/blog/practical-attacks-against-ntlmv1/

• https://www.r-tec.net/r-tec-blog-netntlmv1-downgrade-to-compromise.html

Client sends NTLMv1 response when LmCompatibilityLevel exists and is 2 or lower, which can be downgraded to "NTLMv1 w/o SSP" when NtlmMinClientSec is 0x20 or lower:

Check

Check with PowerShell:

PS > (Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ -Name LmCompatibilityLevel).LmCompatibilityLevel
2
PS > $decValue = (Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ -Name NtlmMinClientSec).NtlmMinClientSec
PS > $hexValue = "0x" + [string]::Format("{0:x}", $decValue)
PS > $hexValue
0x20

Check with Seatbelt (example):

Cmd > .\Seatbelt.exe NTLMSettings

Abuse

Abuse with Responder with a known challenge of 1122334455667788 (see Authentication Coercion to trigger callbacks):

ntlmv1-multi + crack.sh

• https://crack.sh/netntlm/

• https://crack.sh/get-cracking/

• https://crack.sh/cracking-ntlmv1-w-ess-ssp/

• https://github.com/evilmog/ntlmv1-multi

Calculate the token:

Check the final 2 bytes (4 characters) of the NT hash:

Public Rainbow Tables

• https://ntlmv1.com/

• https://cloud.google.com/blog/topics/threat-intelligence/net-ntlmv1-deprecation-rainbow-tables