Kerberos and NTLM Security Vulnerabilities

3.

NTLM Security Vulnerabilities

3.1.

Credential Extraction Attacks

3.1.1.

LSASS Memory Dumping

3.1.1.1.

Process Memory Access

3.1.1.2.

MiniDumpWriteDump API

3.1.1.3.

Task Manager Method

3.1.1.4.

ProcDump Utility

3.1.1.5.

Privilege Requirements

3.1.2.

SAM Database Extraction

3.1.2.1.

Offline Registry Access

3.1.2.2.

Volume Shadow Copy Service

3.1.2.3.

Live System Extraction

3.1.2.4.

Registry Hive Copying

3.1.3.

Cached Credential Extraction

3.1.3.1.

MSCache Hash Format

3.1.3.2.

Domain Cached Credentials (DCC)

3.1.3.3.

DCC2 Hash Format

3.2.

Pass-the-Hash Attacks

3.2.1.

Attack Methodology

3.2.1.1.

Hash Acquisition

3.2.1.2.

Authentication Bypass

3.2.1.3.

Session Establishment

3.2.2.

Technical Implementation

3.2.2.1.

NTLM Authentication Flow Abuse

3.2.2.2.

Token Manipulation

3.2.2.3.

Process Injection

3.2.3.

3.2.3.1.

3.2.3.2.

Windows Credential Editor (WCE)

3.2.3.3.

Metasploit Modules

3.2.3.4.

PowerShell Empire

3.2.4.

Lateral Movement Techniques

3.2.4.1.

3.2.4.2.

PsExec-style Tools

3.2.4.3.

Remote Service Creation

3.3.

NTLM Relay Attacks

3.3.1.

Attack Prerequisites

3.3.1.1.

Man-in-the-Middle Positioning

3.3.1.2.

SMB Signing Disabled

3.3.1.3.

Target Service Identification

3.3.2.

3.3.2.1.

NetBIOS Name Service Poisoning

3.3.2.2.

LLMNR Poisoning

3.3.2.3.

Responder Tool Usage

3.3.2.4.

Cross-Protocol Relay

3.3.3.

HTTP/HTTPS Relay

3.3.3.1.

Web Application Integration

3.3.3.2.

3.3.3.3.

Cross-Site Request Forgery (CSRF) Integration

3.3.4.

Multi-Relay Attacks

3.3.4.1.

Relay Chain Establishment

3.3.4.2.

Privilege Escalation Through Relay

3.4.

Hash Cracking Attacks

3.4.1.

Offline Brute Force

3.4.1.1.

Dictionary Attacks

3.4.1.2.

3.4.1.3.

3.4.2.

Rainbow Table Attacks

3.4.2.1.

Precomputed Hash Tables

3.4.2.2.

Time-Memory Trade-off

3.4.2.3.

LM Hash Vulnerability

3.4.3.

3.4.3.1.

3.4.3.2.

John the Ripper

3.4.3.3.

3.4.3.4.

Previous

2. NTLM Protocol Architecture

Go to top

Next

4. Kerberos Protocol Fundamentals