Did some tests today. There would be a way to identify "valid" Net-NTLM hashes from invalid ones and highlight the difference in the logs (we should keep the bad ones still because they might give hint on other types of creds).
Invalid:
[2022-04-01 19:57:11,741] - INFO - Raul666206 - pyrdp.mitm.connections.ntlmssp - [!] NTLMSSP Hash: Administrator::WINDEV2202EVAL:9dd5d54c8bf1511b:197477fd4b8c3dafd9e4ec30bc23d4d8:01010000000000004c652fad0246d8012daf35537830b9e20000000002001e0045004300320041004d0041005a002d0042004d0043004e0044004c00440001001e0045004300320041004d0041005a002d0042004d0043004e0044004c00440004001e0045004300320041004d0041005a002d0042004d0043004e0044004c00440003001e0045004300320041004d0041005a002d0042004d0043004e0044004c004400070008004c652fad0246d80106000400020000000800300030000000000000000100000000200000aa7bda98074961e32a772956fc333f299ea334916141e5e9f1bdf09b597f19680a00100000000000000000000000000000000000090034005400450052004d0053005
other side was lost in a non-clean fashion: Connection lost.
Did some tests today. There would be a way to identify "valid" Net-NTLM hashes from invalid ones and highlight the difference in the logs (we should keep the bad ones still because they might give hint on other types of creds).
Invalid:
Valid:
We could probably make that distinction by looking at the protocol packets back from the server.