https://github.com/kindtime/nosferatu

Windows NTLM Authentication Backdoor
https://github.com/kindtime/nosferatu

backdoor lsass ntlm windows

Last synced: 3 months ago
JSON representation

Windows NTLM Authentication Backdoor

• Host: GitHub
• URL: https://github.com/kindtime/nosferatu
• Owner: kindtime
• Created: 2021-10-17T01:04:36.000Z (almost 4 years ago)
• Default Branch: master
• Last Pushed: 2021-10-17T01:18:19.000Z (almost 4 years ago)
• Last Synced: 2024-08-05T17:27:14.329Z (about 1 year ago)
• Topics: backdoor, lsass, ntlm, windows
• Language: C++
• Homepage:
• Size: 960 KB
• Stars: 236
• Watchers: 6
• Forks: 46
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

• awesome-hacking-lists - kindtime/nosferatu - Windows NTLM Authentication Backdoor (C++)

README

          

# nosferatu

Windows NTLM/Kerberos Authentication Backdoor 

## How it Works

First, the DLL is injected into the `lsass.exe` process, and will begin hooking authentication WinAPI calls. The targeted functions are:

- `NTLM: NtlmShared!MsvpPasswordValidate()`

- `Kerberos: cryptdll!CDLocateCSystem()`

- `Kerberos: samsrv!SamIRetrieveMultiplePrimaryCredentials()`

In the pursuit of not being detected, the hooked functions will call the original first and allow for the normal flow of authentication. Only after seeing that authentication has failed will the hook swap out the actual NTLM hash with the backdoor hash.

## Usage

nosferatu must be compiled as a 64 bit DLL. 

![injector](photos/injector.png)

You can see it loaded using Procexp:

![loaded](photos/loaded.png)

Login example using Impacket:

![auth](photos/auth.png)

## Limitations

Hooks are not applied for 60 seconds while the system boots.