Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/kindtime/nosferatu
Windows NTLM Authentication Backdoor
https://github.com/kindtime/nosferatu
backdoor lsass ntlm windows
Last synced: 21 days ago
JSON representation
Windows NTLM Authentication Backdoor
- Host: GitHub
- URL: https://github.com/kindtime/nosferatu
- Owner: kindtime
- Created: 2021-10-17T01:04:36.000Z (about 3 years ago)
- Default Branch: master
- Last Pushed: 2021-10-17T01:18:19.000Z (about 3 years ago)
- Last Synced: 2024-08-05T17:27:14.329Z (4 months ago)
- Topics: backdoor, lsass, ntlm, windows
- Language: C++
- Homepage:
- Size: 960 KB
- Stars: 236
- Watchers: 6
- Forks: 46
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-hacking-lists - kindtime/nosferatu - Windows NTLM Authentication Backdoor (C++)
README
# nosferatu
Lsass NTLM Authentication Backdoor
## How it Works
First, the DLL is injected into the `lsass.exe` process, and will begin hooking authentication WinAPI calls. The targeted function is `MsvpPasswordValidate()`, located in `NtlmShared.dll`. In the pursuit of not being detected, the hooked function will call the original function and allow for the normal flow of authentication. Only after seeing that authentication has failed will the hook swap out the actual NTLM hash with the backdoor hash for comparison.
## Usage
Nosferatu must be compiled as a 64 bit DLL. It must be injected using the a DLL Injector with SeDebugPrivilege.
![injector](photos/injector.png)
You can see it loaded using Procexp:
![loaded](photos/loaded.png)
Login example using Impacket:
![auth](photos/auth.png)
## Limitations
In an Active Directory environment, authentication via RDP, runas, or the lock screen does not work with the `nosferatu` password. Authentication using SMB, WinRM, and WMI is still possible.
In a non-AD environment, authentication works for all aspects.