October 2018
Intermediate to advanced
404 pages
8h 50m
English
Content preview from Kali Linux 2018: Windows Penetration Testing - Second Edition
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
Escalating your privileges
We have run our SMB poisoning attack using the Responder tool and captured two accounts. One is the user account fflintstone, and we got lucky and also captured a NTLMv2 hash for the Administrator account. As we can see in the following screenshot, by running the attack to drop HTTP-NTLM support to basic, we have captured a plain-text password for fflintstone, so we have an encrypted password to work with. NTLMv2 hashes are different for V1 hashes in that V2 hashes are salted using the challenge and response given in the communication from server to client. So, we can't use the pass the hash method to log in by just using the hash in place of the actual password, but if hashes were the only thing captured, we could ...