search

GoSecure / pyrdp

RDP monster-in-the-middle (mitm) and library for Python with the ability to watch connections live or after the fact
https://www.gosecure.net/blog/2020/10/20/announcing-pyrdp-1/
GNU General Public License v3.0
1.5k stars 242 forks source link

Identify good Net-NTLMSSP hashes #398

Open obilodeau opened 2 years ago

obilodeau commented 2 years ago

Did some tests today. There would be a way to identify "valid" Net-NTLM hashes from invalid ones and highlight the difference in the logs (we should keep the bad ones still because they might give hint on other types of creds).

Invalid:

[2022-04-01 19:57:11,741] - INFO - Raul666206 - pyrdp.mitm.connections.ntlmssp - [!] NTLMSSP Hash: Administrator::WINDEV2202EVAL:9dd5d54c8bf1511b:197477fd4b8c3dafd9e4ec30bc23d4d8:01010000000000004c652fad0246d8012daf35537830b9e20000000002001e0045004300320041004d0041005a002d0042004d0043004e0044004c00440001001e0045004300320041004d0041005a002d0042004d0043004e0044004c00440004001e0045004300320041004d0041005a002d0042004d0043004e0044004c00440003001e0045004300320041004d0041005a002d0042004d0043004e0044004c004400070008004c652fad0246d80106000400020000000800300030000000000000000100000000200000aa7bda98074961e32a772956fc333f299ea334916141e5e9f1bdf09b597f19680a00100000000000000000000000000000000000090034005400450052004d0053005
 other side was lost in a non-clean fashion: Connection lost.

Valid:

[2022-04-01 19:57:22,746] - INFO - Maurice363590 - pyrdp.mitm.connections.ntlmssp - [!] NTLMSSP Hash: Administrator::WINDEV2202EVAL:e13c59bf4301d80e:0025583f160cdbd3463279b015b3d87a:01010000000000007de4bdb30246d801112e33ba831cbefe0000000002001e0045004300320041004d0041005a002d0042004d0043004e0044004c00440001001e0045004300320041004d0041005a002d0042004d0043004e0044004c00440004001e0045004300320041004d0041005a002d0042004d0043004e0044004c00440003001e0045004300320041004d0041005a002d0042004d0043004e0044004c004400070008007de4bdb30246d80106000400020000000800300030000000000000000100000000200000aa7bda98074961e32a772956fc333f299ea334916141e5e9f1bdf09b597f19680a00100000000000000000000000000000000000090034005400450052004d005300520056002f006d0079002d007300650072007600650072002e0067006f007300650063002e0063006f000000000000000000
[2022-04-01 19:57:23,770] - INFO - Maurice363590 - pyrdp.mitm.connections.tcp - Server connection closed. [('SSL routines', 'ssl3_read_bytes', 'tlsv1 alert internal error')]

We could probably make that distinction by looking at the protocol packets back from the server.

lubiedo commented 2 years ago

By valid you mean NTLM hashes that were used in a successful login?

obilodeau commented 2 years ago

By valid you mean NTLM hashes that were used in a successful login?

Yes, exactly