Farming for Red Teams: Harvesting NetNTLM - MDSec

Farming for Red Teams: Harvesting NetNTLM - MDSec

In the ActiveBreach red team, we’re always looking for innovative approaches for lateral movement and privilege escalation. For many of the environments we operate in, focusing on the classic Active Directory attacks loved by many red teams will not end well, as we’re often battling defenders who’ve tuned their detections to these well known tactics.

One of the most effective tactics for traditional internal penetration tests, where you typically have your own machine plugged in to the network, involves collecting or relaying NetNTLM hashes through LLMNR or netbios poisoning. This attack is well understood and widely documented, including great resources by @byt3bl33d3r and @W00Tock. Setting aside the approach of LLMNR/netbios poisoning, the collection of NetNTLM hashes is not only highly effective, but also difficult to detect in large environments.

While conceptually this a very powerful attack path, few have been effective in weaponising it for practical use in a red team engagement where you’re typically operating as a low privileged user over a command-and-control channel. Indeed, most of the attempts that we’re aware of to date have required administrative rights and/or have installed a driver to hijack communications on 445; some examples of prior work include:

More recently, NCC Group released Sigwhatever which injects a link to a hosted image inside an Outlook signature, forcing authentication over HTTP, providing an interesting vector for targeted internal spear phishing.

This work was conceptually similar to some of ou ..