{"id":13841368,"url":"https://github.com/kindtime/nosferatu","last_synced_at":"2025-07-11T12:31:34.338Z","repository":{"id":93060198,"uuid":"417986827","full_name":"kindtime/nosferatu","owner":"kindtime","description":"Windows NTLM Authentication Backdoor","archived":false,"fork":false,"pushed_at":"2021-10-17T01:18:19.000Z","size":983,"stargazers_count":236,"open_issues_count":0,"forks_count":46,"subscribers_count":6,"default_branch":"master","last_synced_at":"2024-08-05T17:27:14.329Z","etag":null,"topics":["backdoor","lsass","ntlm","windows"],"latest_commit_sha":null,"homepage":"","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kindtime.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2021-10-17T01:04:36.000Z","updated_at":"2024-07-17T16:48:38.000Z","dependencies_parsed_at":"2023-06-04T14:00:23.264Z","dependency_job_id":null,"html_url":"https://github.com/kindtime/nosferatu","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kindtime%2Fnosferatu","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kindtime%2Fnosferatu/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kindtime%2Fnosferatu/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kindtime%2Fnosferatu/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kindtime","download_url":"https://codeload.github.com/kindtime/nosferatu/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225720402,"owners_count":17513597,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["backdoor","lsass","ntlm","windows"],"created_at":"2024-08-04T17:01:09.481Z","updated_at":"2025-07-11T12:31:34.327Z","avatar_url":"https://github.com/kindtime.png","language":"C++","funding_links":[],"categories":["C++"],"sub_categories":[],"readme":"\n# nosferatu\n\nWindows NTLM/Kerberos Authentication Backdoor \n\n## How it Works\n\nFirst, the DLL is injected into the `lsass.exe` process, and will begin hooking authentication WinAPI calls. The targeted functions are:\n\n- `NTLM: NtlmShared!MsvpPasswordValidate()`\n- `Kerberos: cryptdll!CDLocateCSystem()`\n- `Kerberos: samsrv!SamIRetrieveMultiplePrimaryCredentials()`\n\nIn the pursuit of not being detected, the hooked functions will call the original first and allow for the normal flow of authentication. Only after seeing that authentication has failed will the hook swap out the actual NTLM hash with the backdoor hash.\n\n## Usage\n\nnosferatu must be compiled as a 64 bit DLL. \n\n![injector](photos/injector.png)\n\nYou can see it loaded using Procexp:\n\n![loaded](photos/loaded.png)\n\nLogin example using Impacket:\n\n![auth](photos/auth.png)\n\n## Limitations\nHooks are not applied for 60 seconds while the system boots.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkindtime%2Fnosferatu","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkindtime%2Fnosferatu","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkindtime%2Fnosferatu/lists"}