Does NTLM authentication via HTTP not need a user name?

Because of a vulnerability that has been found in Exchange Server I was trying to run that attack on our local system to see if the workaround can successfully prevent it.

I found a description of NTLM Authentication for HTTP which describes three messages in an NTLM handshake, namely Type 1, 2 and 3. The first one uses only the host name of the client machine and the domain name for generating the hash value. The second one is the server’s challenge and the final one that ultimately authenticates the user to the server is created by the client using the nonce from the challenge and also user name and password.

When connecting to the Exchange Web Service using my credentials I was able to extract the correct user name from the Type-3 (AUTHENTICATION) message. But when I looked at the AUTHENTICATION message that the server sent when sending a push message there was neither a user name nor a domain or host name in it.

Also in another question it has been pointed out that in the first step of an NTLM authentication the client sends the user name to the server which seems not to have been the case here. What am I missing? Are there different variations of messages and flows for NTLM authentication via HTTP and other protocols?

Where are NTLM and LM hashes stored in a password protected microsoft presentation file

I have a password protected presentation file (MS office 2003).

My assignment required me to either remove the password or find it.

In my research i found out that presentation use ntlm and/or nt hashes. I also found out that office2john looks like the tool for the job.

Now my questions: How office2john extract the hashes? Where are they in the file? Can you explain to me where are they located? Or can you point me to some documentation that explain it?

What is possible with a non-administrative users Ticket Granting Ticket and/or NTLM hash?

During a penetration test, if a users NTLM hash or a valid Kerberos TGT is compromised, what attacks are possible if the user is not an administrator on any (in scope) workstations? For instance, it maybe possible to access (non administrative) SMB shares as that user, but is it possible to obtain a low level shell as that user? Or does getting a shell always necessitate admin rights in Windows? Assume Windows 10/2012 or later.

To be clear, I don’t mean getting a shell via multiple other hops (such as finding clear text credentials on some SMB share they have access to, then using RDP with those plaintext credentials), I mean directly getting a shell using their NTLM hash or Kerberos ticket directly, if they only have regular (low level) user permissions on a machine (vs being a local administrator).

NTLM retrieve password hash using KPA attack and responder net-NTLMv2

I’ve got few questions associated with NTLM protocol details.

From MSDN (https://docs.microsoft.com/en-us/windows/desktop/secauthn/microsoft-ntlm):

  1. (Interactive authentication only) A user accesses a client computer and provides a domain name, user name, and password. The client computes a cryptographic hash of the password and discards the actual password.

  2. The client sends the user name to the server (in plaintext).

  3. The server generates a 16-byte random number, called a challenge or nonce, and sends it to the client.

  4. The client encrypts this challenge with the hash of the user’s password and returns the result to the server. This is called the response.

  5. The server sends the following three items to the domain controller:

User name Challenge sent to the client Response received from the client

  1. The domain controller uses the user name to retrieve the hash of the user’s password from the Security Account Manager database. It uses this password hash to encrypt the challenge.

  2. The domain controller compares the encrypted challenge it computed (in step 6) to the response computed by the client (in step 4). If they are identical, authentication is successful.

  1. If attacker knows the challenge (even just from sniffing the data), and the ciphertext from the response (a.k.a steps 3 and 4) and the algorithm (which from some reason I couldn’t find out what exact algorithm is used, If someone knows I’ll be happy to know.) , what prevents the attacker from getting the key to the encryption (which is the hash).

  2. Responder tool intercepts traffic and sends chllenges to all misspelled hostnames NTLMs, and gives the attacker the net-NTLMv2, which can not be used in PTH. why it can’t be used ?

  3. At steps 6 and 7, the domaon controller uses the NTLM hash of the user, and encrypts the chllenge itself, and then compares to the response, but accorsing to what I understand, the response is encrypted using the net-NTLMv2 but in the DC DB (NTDS.DIT) the hashes are stored as NTLM hashes, how the calculation in step 7 is the same as the response ?

thank you a lot!

Calling SharePoint list.amx service throws error – The authentication header received from the server was ‘NTLM’

Here is my scenario : I am trying to access SharePoint 2010 list items via list.asmx service. Following is my code and app.config which works on my developer box hosting the SharePoint site

var client = new ServiceReferenceSPList.ListsSoapClient(); client.ClientCredentials.UserName.UserName = "..."; client.ClientCredentials.UserName.Password = "..."; var result = client.GetListItems("My List", null, query, viewFields, rowLimit, queryOptions, null);  <system.serviceModel>   <bindings>     <basicHttpBinding>       <binding name="ListsSoap" maxBufferPoolSize="2147483647" maxReceivedMessageSize="2147483647" >         <security mode="TransportCredentialOnly">           <transport clientCredentialType="Ntlm"/>         </security>       </binding>     </basicHttpBinding>   </bindings>   <client>     <endpoint address="http://server:port/_vti_bin/Lists.asmx"         binding="basicHttpBinding" bindingConfiguration="ListsSoap"         contract="ServiceReferenceSPList.ListsSoap" name="ListsSoap" />   </client> </system.serviceModel> 

Above code works when its run from SharePoint machine itself. I have SharePoint site on my machine and hence when I run above code it returns list items. However when I try to access SharePoint site hosted on other server on the network it throws error

The HTTP request is unauthorized with client authentication scheme ‘Ntlm’. The authentication header received from the server was ‘NTLM’.

I have read few posts around this error but none seems to help.

  • Call SharePoint custom WCF service from within same SharePoint site
  • SharePoint search web service error (NTLM) when called from HttpHandler
  • https://stackoverflow.com/questions/16273032/connect-to-sharepoint-web-service-through-claims-based-ntlm-authentication

I dont think I am facing double hop issue as I am passing credentials and code on development box directly going to SharePoint server. SharePoint 2010 site being accessed in a Claims enabled NTLM auth site.

Please let me know your suggestions to possibly solve this issue.

Issue with Stunnel with NTLM authentication

I have to create tunnel between server and client. Client have proxy configured in between. So i use below in /etc/stunnel/stunnel.config. User name and password is correct

pid = /var/run/stunnel.pid

cert = /home/client.crt

key = /home/client.key

options = NO_SSLv2

debug = 7

output = /var/log/stunnel4/stunnel.log

client = yes

CAfile=/home/**chain.pem

verify=2

[test]

protocol = connect

accept = 127.0.0.1:10000

protocolHost = host.vmj.com:443

connect = :

protocolUsername = vmj.com\user1

protocolPassword = VMJTEST!123

protocolAuthentication = NTLM

In stunnel.log, i can see below error

2019.02.28 18:36:50 LOG6[2103:140737354032896]: Client-mode connect protocol negotiations started

2019.02.28 18:36:50 LOG7[2103:140737354032896]: -> CONNECT host.vmj.com:443 HTTP/1.1

2019.02.28 18:36:50 LOG7[2103:140737354032896]: -> Host: host.vmj.com:443

2019.02.28 18:36:50 LOG7[2103:140737354032896]: -> Proxy-Connection: keep-alive

2019.02.28 18:36:50 LOG7[2103:140737354032896]: -> Proxy-Authorization: NTLM TlRMTVNTUAABAAAAAgIAAA==

2019.02.28 18:36:50 LOG7[2103:140737354032896]: ->

2019.02.28 18:36:50 LOG7[2103:140737354032896]: <- HTTP/1.1 407 Proxy Authentication Required

2019.02.28 18:36:50 LOG7[2103:140737354032896]: <- Server: squid/3.3.8

2019.02.28 18:36:50 LOG7[2103:140737354032896]: <- Mime-Version: 1.0

2019.02.28 18:36:50 LOG7[2103:140737354032896]: <- Date: Thu, 28 Feb 2019 18:36:33 GMT

2019.02.28 18:36:50 LOG7[2103:140737354032896]: <- Content-Type: text/html

2019.02.28 18:36:50 LOG7[2103:140737354032896]: <- Content-Length: 3285

2019.02.28 18:36:50 LOG7[2103:140737354032896]: <- X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0

2019.02.28 18:36:50 LOG7[2103:140737354032896]: <- Vary: Accept-Language

2019.02.28 18:36:50 LOG7[2103:140737354032896]: <- Content-Language: en

2019.02.28 18:36:50 LOG7[2103:140737354032896]: <- Proxy-Authenticate: NTLM TlRMTVNTUAACAAAAAAAAADgAAAACAgACueAMGSlaSZ0AAAAAAAAAAAAAAAA4AAAABgEAAAAAAA8=

2019.02.28 18:36:50 LOG7[2103:140737354032896]: <- X-Cache: MISS from squidproxy.vmj.com

2019.02.28 18:36:50 LOG7[2103:140737354032896]: <- X-Cache-Lookup: NONE from squidproxy.vmj.com:3128

2019.02.28 18:36:50 LOG7[2103:140737354032896]: <- Via: 1.1 squidproxy.vmj.com (squid/3.3.8)

2019.02.28 18:36:50 LOG7[2103:140737354032896]: <- Connection: keep-alive

2019.02.28 18:36:50 LOG7[2103:140737354032896]: <-

2019.02.28 18:36:50 LOG7[2103:140737354032896]: -> CONNECT host.vmj.com:443 HTTP/1.1

2019.02.28 18:36:50 LOG7[2103:140737354032896]: -> Host: host.vmj.com:443

2019.02.28 18:36:50 LOG7[2103:140737354032896]: -> Proxy-Authorization: NTLM TlRMTVNTUAADAAAAAAAAAGcAAAAYABgAQAAAAAAAAABnAAAADwAPAFgAAAAAAAAAZwAAAAAAAABnAAAAAgIAAAGbqH5v5ML8msrfm3R1yDBsS+ai3ldihnZybmkuY29tXGJoYXJ0aQ==

2019.02.28 18:36:50 LOG7[2103:140737354032896]: ->

2019.02.28 18:36:50 LOG7[2103:140737354032896]: <- HTTP/1.1 407 Proxy Authentication Required

2019.02.28 18:36:50 LOG3[2103:140737354032896]: CONNECT request rejected

2019.02.28 18:36:50 LOG7[2103:140737354032896]: <- Server: squid/3.3.8

2019.02.28 18:36:50 LOG7[2103:140737354032896]: <- Mime-Version: 1.0

2019.02.28 18:36:50 LOG7[2103:140737354032896]: <- Date: Thu, 28 Feb 2019 18:36:33 GMT

2019.02.28 18:36:50 LOG7[2103:140737354032896]: <- Content-Type: text/html

2019.02.28 18:36:50 LOG7[2103:140737354032896]: <- Content-Length: 3363

2019.02.28 18:36:50 LOG7[2103:140737354032896]: <- X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0

2019.02.28 18:36:50 LOG7[2103:140737354032896]: <- Vary: Accept-Language

2019.02.28 18:36:50 LOG7[2103:140737354032896]: <- Content-Language: en

2019.02.28 18:36:50 LOG7[2103:140737354032896]: <- Proxy-Authenticate: NTLM

2019.02.28 18:36:50 LOG7[2103:140737354032896]: <- X-Cache: MISS from squidproxy.vmj.com

2019.02.28 18:36:50 LOG7[2103:140737354032896]: <- X-Cache-Lookup: NONE from squidproxy.vmj.com:3128

2019.02.28 18:36:50 LOG7[2103:140737354032896]: <- Via: 1.1 squidproxy.vmj.com (squid/3.3.8)

2019.02.28 18:36:50 LOG7[2103:140737354032896]: <- Connection: keep-alive

2019.02.28 18:36:50 LOG7[2103:140737354032896]: <-

2019.02.28 18:36:50 LOG5[2103:140737354032896]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket

2019.02.28 18:36:50 LOG7[2103:140737354032896]: Remote socket (FD=14) closed

2019.02.28 18:36:50 LOG7[2103:140737354032896]: Local socket (FD=3) closed

2019.02.28 18:36:50 LOG7[2103:140737354032896]: Service [test] finished (0 left)

If i try with basic authentication it works fine.

Its urgent , can some one help me out.

Thanks,

Vj

Office365 NTLM authentication

Can I authenticate credentials with Office365 based on NTLMv2.

Microsoft describes on Authentication and EWS in Exchange that clients can authenticate with Exchange based on NTLM, but My program connects to outlook.office365.com to authenticate based on NTLM Office365 replies Basic-Authentication.

Does anyone know what’s the problem? Or how can authenticate Office365 with NTLM authentication technique?