Start by pulling an NMAP on the Target

nmap -sC -sV 172.25.90.3

WIndows Goodness!

Check for Null Authentication on Shared Folders

• Just hit enter when it prompts you for the password

smbclient -L 172.25.90.3 -U ''

Here we have a folder called ‘Shared_Documents’ that appears to be accessible.

• Mount it
• Again, no password when prompted

mount -t cifs //172.25.90.3/Shared_Documents /mnt

If you take a look in the /mnt folder, you’ll find a lot of files.

• They are all filled with meaningless corporate garbage, but this looks like an active location on the network.
• In an instance like this, we can place a file that is designed to force a user who opens this folder to try and authenticated with our Kali Linux machine. When this happens we’ll be able to:
  • Steal their NTLMv2 Hash
  • Crack that Sucker and reveal the plaintext password.

The GreenWolf NTLM Theft repo on GitHub has a Python program that will generate a number of different files designed to trick unsuspecting users into authenticating with attacker-controlled machine.

• Clone the GitHub repository here.

git clone <https://github.com/Greenwolf/ntlm_theft.git>
cd ntlm_theft