{"id":531,"date":"2020-04-02T15:13:46","date_gmt":"2020-04-02T15:13:46","guid":{"rendered":"http:\/\/blog.redforce.io\/?p=531"},"modified":"2024-12-14T15:24:04","modified_gmt":"2024-12-14T15:24:04","slug":"windows-authentication-and-attacks-part-1-ntlm","status":"publish","type":"post","link":"https:\/\/blog.redforce.io\/windows-authentication-and-attacks-part-1-ntlm\/","title":{"rendered":"Windows authentication attacks &#8211; part 1"},"content":{"rendered":"<h1><span class=\"ez-toc-section\" id=\"Arabic\"><\/span>Arabic<span class=\"ez-toc-section-end\"><\/span><\/h1><div id=\"ez-toc-container\" class=\"ez-toc-v2_0_71 ez-toc-wrap-right counter-hierarchy ez-toc-counter ez-toc-transparent ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-69f12233b14b4\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #ff0000;color:#ff0000\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #ff0000;color:#ff0000\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-69f12233b14b4\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/blog.redforce.io\/windows-authentication-and-attacks-part-1-ntlm\/#Arabic\" title=\"Arabic\">Arabic<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/blog.redforce.io\/windows-authentication-and-attacks-part-1-ntlm\/#Windows_hashes\" title=\"Windows hashes\">Windows hashes<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/blog.redforce.io\/windows-authentication-and-attacks-part-1-ntlm\/#LM_hashes\" title=\"LM hashes\">LM hashes<\/a><ul class='ez-toc-list-level-2' ><li class='ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/blog.redforce.io\/windows-authentication-and-attacks-part-1-ntlm\/#NTLM_hash\" title=\"NTLM hash &lt;NTHash&gt;\">NTLM hash &lt;NTHash&gt;<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/blog.redforce.io\/windows-authentication-and-attacks-part-1-ntlm\/#Net-NTLMv1\" title=\"Net-NTLMv1\">Net-NTLMv1<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/blog.redforce.io\/windows-authentication-and-attacks-part-1-ntlm\/#Net-NTLMv2\" title=\"Net-NTLMv2\">Net-NTLMv2<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/blog.redforce.io\/windows-authentication-and-attacks-part-1-ntlm\/#Net-NTLM_Authentication\" title=\"Net-NTLM Authentication\">Net-NTLM Authentication<\/a><ul class='ez-toc-list-level-2' ><li class='ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/blog.redforce.io\/windows-authentication-and-attacks-part-1-ntlm\/#In_a_nutshell\" title=\"In a nutshell\">In a nutshell<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/blog.redforce.io\/windows-authentication-and-attacks-part-1-ntlm\/#1-2_negotiation_requestresponse\" title=\"1-2 : negotiation request\/response\">1-2 : negotiation request\/response<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/blog.redforce.io\/windows-authentication-and-attacks-part-1-ntlm\/#3_%E2%80%93_Session_Setup_Request_Type_1_message\" title=\"3 \u2013 Session Setup Request (Type 1 message)\">3 \u2013 Session Setup Request (Type 1 message)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/blog.redforce.io\/windows-authentication-and-attacks-part-1-ntlm\/#4_%E2%80%93_Session_Setup_Response_Type_2_message\" title=\"4 \u2013 Session Setup Response (Type 2 message)\">4 \u2013 Session Setup Response (Type 2 message)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/blog.redforce.io\/windows-authentication-and-attacks-part-1-ntlm\/#5_%E2%80%93_Session_Setup_Request_Type_3_message\" title=\"5 &#8211; Session Setup Request (Type 3 message)\">5 &#8211; Session Setup Request (Type 3 message)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/blog.redforce.io\/windows-authentication-and-attacks-part-1-ntlm\/#6_%E2%80%93_Session_Setup_Response\" title=\"6 \u2013 Session Setup Response\">6 \u2013 Session Setup Response<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/blog.redforce.io\/windows-authentication-and-attacks-part-1-ntlm\/#NTLM_authentication_in_a_windows_domain_environment\" title=\"NTLM authentication in a windows domain environment\">NTLM authentication in a windows domain environment<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-15\" href=\"https:\/\/blog.redforce.io\/windows-authentication-and-attacks-part-1-ntlm\/#NTLMSSP\" title=\"NTLMSSP\">NTLMSSP<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-16\" href=\"https:\/\/blog.redforce.io\/windows-authentication-and-attacks-part-1-ntlm\/#Conclusion_and_references\" title=\"Conclusion and references\">Conclusion and references<\/a><\/li><\/ul><\/nav><\/div>\n\n<p>I illustrated most of the concepts in this blog post in Arabic at the following video<\/p>\n<p><iframe title=\"Windows authentication attacks - Part 1\" width=\"1040\" height=\"780\" data-src=\"https:\/\/www.youtube.com\/embed\/Q9_wUoWMAg8?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture\" allowfullscreen><\/iframe><noscript><iframe loading=\"lazy\" title=\"Windows authentication attacks - Part 1\" width=\"1040\" height=\"780\" src=\"https:\/\/www.youtube.com\/embed\/Q9_wUoWMAg8?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture\" allowfullscreen><\/iframe><\/noscript><\/p>\n<p>This doesn&#8217;t contain all the details in the post but yet will get you the fundamentals you need to proceed with the next parts.<\/p>\n<h1><span class=\"ez-toc-section\" id=\"Windows_hashes\"><\/span>Windows hashes<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<h1><span class=\"ez-toc-section\" id=\"LM_hashes\"><\/span>LM hashes<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<p>It was the dominating <span style=\"color: #ff0000;\">password storing <\/span>algorithm on windows till windows XP\/windows server 2003.<br \/>\nIt&#8217;s disabled by default since windows vista\/windows server 2008.<br \/>\nLM was a weak hashing algorithm for many reasons, You will figure these reasons out once You know how LM hashing works.<\/p>\n<p><strong>LM hash generation?<\/strong><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-532\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/lmhash.jpg\" alt=\"LM hash generation.\" width=\"760\" height=\"1105\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-532\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/lmhash.jpg\" alt=\"LM hash generation.\" width=\"760\" height=\"1105\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/lmhash.jpg 760w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/lmhash-206x300.jpg 206w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/lmhash-704x1024.jpg 704w\" sizes=\"auto, (max-width: 760px) 100vw, 760px\" \/><\/noscript><\/p>\n<p>Let\u2019s assume that the user\u2019s password is <strong>PassWord<br \/>\n<\/strong>1 \u2013 All characters will be converted to upper case<br \/>\nPassWord -&gt; PASSWORD<br \/>\n2 \u2013 In case the password\u2019s length is less than 14 characters it will be padded with null characters, so its length becomes 14, so the result will be PASSWORD000000<br \/>\n3 \u2013 These 14 characters will be split into 2 halves<br \/>\nPASSWOR<br \/>\nD000000<br \/>\n4 \u2013 Each half is converted to bits, and after every 7 bits, a parity bit (0) will be added, so the result would be a 64 bits key.<br \/>\n1101000011 -&gt; 1101000<span style=\"color: #ff0000;\">0<\/span>011<br \/>\nAs a result, we will get two keys from the 2 pre-generated halves after adding these parity bits<br \/>\n5 \u2013 Each of these keys is then used to encrypt the string \u201cKGS!@#$%\u201d using DES algorithm in ECB mode so that the result would be<br \/>\nPASSWOR\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = <span style=\"color: #ff0000;\">E52CAC67419A9A22<\/span><br \/>\nD000000\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 = <span style=\"color: #0000ff;\">4A3B108F3FA6CB6D<br \/>\n<\/span>6 \u2013 The output of the two halves is then combined, and that makes out LM hash<br \/>\n<span style=\"color: #ff0000;\">E52CAC67419A9A22<\/span><span style=\"color: #0000ff;\">4A3B108F3FA6CB6D<\/span><\/p>\n<p>You can get the same result using the following python line.<br \/>\n<code class=\"EnlighterJSRAW\" data-enlighter-language=\"python\">python -c 'from passlib.hash import lmhash;print lmhash.hash(\"password\")'<\/code><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-535\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1.png\" alt=\"\" width=\"939\" height=\"93\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-535\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1.png\" alt=\"\" width=\"939\" height=\"93\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1.png 939w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-300x30.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-768x76.png 768w\" sizes=\"auto, (max-width: 939px) 100vw, 939px\" \/><\/noscript><\/p>\n<p><strong>Disadvantages<\/strong><\/p>\n<p>As you may already think, this is a very weak algorithm,<br \/>\nEach hash has a lot of possibilities, for example, the hashes of the following passwords<br \/>\nPassword1<br \/>\npAssword1<br \/>\nPASSWORD1<br \/>\nPassWord1 . . . ETC<br \/>\nIt will be the same!!!!<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-536\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-1.png\" alt=\"\" width=\"939\" height=\"116\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-536\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-1.png\" alt=\"\" width=\"939\" height=\"116\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-1.png 939w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-1-300x37.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-1-768x95.png 768w\" sizes=\"auto, (max-width: 939px) 100vw, 939px\" \/><\/noscript><\/p>\n<p>Let\u2019s assume a password like passwordpass123<br \/>\nThe upper and lowercase combinations will be more than 32000 possibilities, and all of them will have the same hash!<br \/>\nYou can give it a try.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\">import itertools\r\nlen(map(''.join, itertools.product(*zip(\"Passwordpass123\".upper(), \"Passwordpass123\".lower()))))\r\n<\/pre>\n<p>Also, splitting the password into two halves makes it easier, as the attacker will be trying to brute force just a seven-character password!<br \/>\nLM hash accepts only the 95 ASCII characters, but yet all lower case characters are converted to upper case, which makes it only 69 possibilities per character, which makes it just 7.5 trillion possibilities for each half instead of the total of 69^14 for the whole 14 characters.<br \/>\nRainbow tables already exist containing all these possibilities, so cracking Lan Manager hashes isn&#8217;t a problem at all<br \/>\nMoreover, in case that the password is seven characters or less, the attacker doesn\u2019t need to brute force the 2nd half as it has the fixed value of <span style=\"color: #0000ff;\">AAD3B435B51404EE<\/span><br \/>\nExample<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-537\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-2.png\" alt=\"\" width=\"939\" height=\"320\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-537\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-2.png\" alt=\"\" width=\"939\" height=\"320\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-2.png 939w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-2-300x102.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-2-768x262.png 768w\" sizes=\"auto, (max-width: 939px) 100vw, 939px\" \/><\/noscript><\/p>\n<p>Creating hash for password123 and cracking it.<br \/>\nYou will notice that john got me the password \u201cPASSWORD123\u201d in upper case and not \u201cpassword123\u201d, and yeah, both are just true.<\/p>\n<p>Obviously, the whole LM hashing stuff was based on the fact that no one will reverse it as well as no one will get into the internal network to be in a MITM position to capture it.<br \/>\nAs mentioned earlier, LM hashes are disabled by default since Windows Vista + Windows server 2008.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"NTLM_hash\"><\/span>NTLM hash &lt;NTHash&gt;<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span style=\"color: #0000ff;\">NTHash AKA NTLM<\/span> hash is\u00a0the currently used algorithm <span style=\"color: #ff0000;\">for storing passwords<\/span> on windows systems.<br \/>\nWhile <span style=\"color: #0000ff;\">NET-NTLM<\/span> is the name of the authentication or <span style=\"color: #ff0000;\">challenge\/response protocol<\/span> used between the client and the server.<br \/>\nIf you made a hash dump or pass the hash attack before so no doubt you\u2019ve seen NTLM hash already.<br \/>\nYou can obtain it via<\/p>\n<p>Dumping credentials from memory using mimikatz<br \/>\nEg, sekurlsa::logonpasswords<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-540\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-02-at-5.27.25-PM-1024x969.png\" alt=\"\" width=\"1024\" height=\"969\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-540\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-02-at-5.27.25-PM-1024x969.png\" alt=\"\" width=\"1024\" height=\"969\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-02-at-5.27.25-PM-1024x969.png 1024w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-02-at-5.27.25-PM-300x284.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-02-at-5.27.25-PM-768x727.png 768w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-02-at-5.27.25-PM.png 1410w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/noscript><\/p>\n<p>Dumping SAM using<br \/>\nC:\\Windows\\System32\\config\\SYSTEM<br \/>\nC:\\Windows\\System32\\config\\SAM<br \/>\nThen reading hashes offline via Mimikatz<br \/>\nlsadump::sam \/system:SystemBkup.hiv \/sam:SamBkup.hiv<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-541\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-02-at-5.31.38-PM-886x1024.png\" alt=\"\" width=\"886\" height=\"1024\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-541\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-02-at-5.31.38-PM-886x1024.png\" alt=\"\" width=\"886\" height=\"1024\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-02-at-5.31.38-PM-886x1024.png 886w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-02-at-5.31.38-PM-260x300.png 260w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-02-at-5.31.38-PM-768x887.png 768w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-02-at-5.31.38-PM-1330x1536.png 1330w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-02-at-5.31.38-PM.png 1584w\" sizes=\"auto, (max-width: 886px) 100vw, 886px\" \/><\/noscript><\/p>\n<p>And sure via NTDS where NTLM hashes are stored in ActiveDirectory environments, You&#8217;re going to need administrator access over the domain controller, A domain admin privs for example<br \/>\nYou can do this either manually or using DCsync within mimikatz as well<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-542\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-02-at-5.36.28-PM-1024x375.png\" alt=\"\" width=\"1024\" height=\"375\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-542\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-02-at-5.36.28-PM-1024x375.png\" alt=\"\" width=\"1024\" height=\"375\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-02-at-5.36.28-PM-1024x375.png 1024w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-02-at-5.36.28-PM-300x110.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-02-at-5.36.28-PM-768x281.png 768w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-02-at-5.36.28-PM-1536x562.png 1536w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-02-at-5.36.28-PM.png 1650w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/noscript><\/p>\n<p><strong>NTLM hash generation<br \/>\n<\/strong>Converting a plaintext password into NTLM isn\u2019t complicated, it depends mainly on the MD4 hashing algorithm<br \/>\n1 \u2013 The password is converted to Unicode<br \/>\n2 \u2013 MD4 is then used to convert it to the NTLM<br \/>\nJust like <span style=\"color: #ff0000;\">MD4(UTF-16-LE(password))<\/span><br \/>\n3 \u2013 Even in case of failing to crack the hash, it can be abused using <span style=\"color: #ff0000;\">Pass the hash<\/span> technique as illustrated later.<br \/>\nSince there are no salts used while generating the hash, cracking NTLM hash can be done either by using pre-generated rainbow tables or using hashcat.<br \/>\nhashcat -m 3000 -a 3 hashes.txt<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Net-NTLMv1\"><\/span>Net-NTLMv1<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>This<span style=\"color: #ff0000;\"> isn\u2019t used to store passwords<\/span>, it\u2019s actually a challenge-response protocol used for client\/server authentication in order to avoid sending user\u2019s hash over the network.<br \/>\nThat\u2019s basically how Net-NTLM authentication works in general.<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-543\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-3.png\" alt=\"\" width=\"725\" height=\"231\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-543\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-3.png\" alt=\"\" width=\"725\" height=\"231\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-3.png 725w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-3-300x96.png 300w\" sizes=\"auto, (max-width: 725px) 100vw, 725px\" \/><\/noscript><\/p>\n<p>I will discuss how that protocol works in detail, but all you need to know for now is that NET-NTLMv1 isn\u2019t used anymore by default except for some old versions of windows.<br \/>\nThe NET-NTLMv1 looks like username::hostname:response:response:challenge<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-546\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-02-at-5.55.12-PM-1024x109.png\" alt=\"\" width=\"1024\" height=\"109\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-546\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-02-at-5.55.12-PM-1024x109.png\" alt=\"\" width=\"1024\" height=\"109\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-02-at-5.55.12-PM-1024x109.png 1024w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-02-at-5.55.12-PM-300x32.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-02-at-5.55.12-PM-768x82.png 768w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-02-at-5.55.12-PM-1536x163.png 1536w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-02-at-5.55.12-PM-2048x218.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/noscript><\/p>\n<p>It can\u2019t be used <span style=\"color: #ff0000;\">directly<\/span> to pass the hash, yet it can be cracked or relayed as I will mention later.<br \/>\nSince the challenge is variable, you can\u2019t use rainbow tables against Net-NTLMv1 hash,<br \/>\nBut you can crack it by brute-forcing the password using hashcat using<br \/>\n<code class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">hashcat -m 5500 -a 3 hashes.txt<\/code><\/p>\n<p>This differs from NTLMv1-SSP in which the server challenge is changed at the client-side<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-547\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-02-at-5.56.18-PM-1024x95.png\" alt=\"\" width=\"1024\" height=\"95\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-547\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-02-at-5.56.18-PM-1024x95.png\" alt=\"\" width=\"1024\" height=\"95\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-02-at-5.56.18-PM-1024x95.png 1024w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-02-at-5.56.18-PM-300x28.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-02-at-5.56.18-PM-768x72.png 768w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-02-at-5.56.18-PM-1536x143.png 1536w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-02-at-5.56.18-PM-2048x191.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/noscript><br \/>\nNTLMv1 and NTLMv1-SSP are treated differently during cracking or even downgrading, this will be discussed at the NTLM attacks part.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Net-NTLMv2\"><\/span>Net-NTLMv2<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>A lot of improvements were made for v1, this is the version being used nowadays at windows systems.<br \/>\nThe authentication steps are the same, except for the challenge-response generation algorithm, and the NTLM challenge length which in this case is variable instead of the fixed 16-bytes number at Net-NTLMv1.<br \/>\nAt Net-NTLMv2 any parameters are added by the client such as client nonce, server nonce, timestamp as well as the username and encrypt them, that\u2019s why you will find the length of Net-NTLMv2 hashes varies from user to another.<br \/>\nNet-NTLMv2 <span style=\"color: #ff0000;\">can\u2019t be used for passing the hash attack<\/span>, or for offline relay attacks due to the security improvements made.<br \/>\nBut yet it still can be relayed or cracked, the process is slower but yet applicable.<br \/>\nI will discuss that later as well.<br \/>\nNet-NTLMv2 hash looks like<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-548\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-02-at-5.57.27-PM-1024x86.png\" alt=\"\" width=\"1024\" height=\"86\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-548\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-02-at-5.57.27-PM-1024x86.png\" alt=\"\" width=\"1024\" height=\"86\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-02-at-5.57.27-PM-1024x86.png 1024w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-02-at-5.57.27-PM-300x25.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-02-at-5.57.27-PM-768x65.png 768w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-02-at-5.57.27-PM-1536x129.png 1536w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-02-at-5.57.27-PM-2048x172.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/noscript><\/p>\n<p>It can be cracked using<br \/>\n<code class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">hashcat -m 5600 hash.txt<\/code><\/p>\n<h1><span class=\"ez-toc-section\" id=\"Net-NTLM_Authentication\"><\/span>Net-NTLM Authentication<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<h2><span class=\"ez-toc-section\" id=\"In_a_nutshell\"><\/span>In a nutshell<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Let\u2019s assume that our client (192.168.18.132) is being used to connect to the windows server 2008 machine (192.168.18.139)<br \/>\nThat server isn\u2019t domain-joined, means that all the authentication process is going to happen between the client and the server without having to contact any other machines, unlike what may happen in the 2nd scenario.<br \/>\nThe whole authentication process can be illustrated in the following picture.<br \/>\nClient IP : 192.168.18.132 [Kali linux]<br \/>\nServer IP: 192.168.18.139 [Windows server 2008 non-domain joined]<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-549\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-4.png\" alt=\"\" width=\"939\" height=\"531\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-549\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-4.png\" alt=\"\" width=\"939\" height=\"531\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-4.png 939w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-4-300x170.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-4-768x434.png 768w\" sizes=\"auto, (max-width: 939px) 100vw, 939px\" \/><\/noscript><\/p>\n<p>0 \u2013 The user enters his\/her username and password<br \/>\n1 \u2013 The client initiates a negotiation request with the server, that request includes any information about the client capabilities as well as the Dialect or the protocols that the client supports.<br \/>\n2 \u2013 The server picks up the highest dialect and replies through the Negotiation response message then the authentication starts.<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-550\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-5.png\" alt=\"\" width=\"725\" height=\"231\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-550\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-5.png\" alt=\"\" width=\"725\" height=\"231\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-5.png 725w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-5-300x96.png 300w\" sizes=\"auto, (max-width: 725px) 100vw, 725px\" \/><\/noscript><\/p>\n<p>3 \u2013 The client then negotiates an authentication session with the server to ask for access, this request contains also some information about the client including the NTLM 8 bytes signature (&#8216;N&#8217;, &#8216;T&#8217;, &#8216;L&#8217;, &#8216;M&#8217;, &#8216;S&#8217;, &#8216;S&#8217;, &#8216;P&#8217;, &#8216;\\0&#8217;).<br \/>\n4 \u2013 The server responds to the request by sending an NTLM challenge<br \/>\n5 \u2013 The client then encrypts that challenge with his own pre-entered password\u2019s hash and sends his username, challenge and challenge-response back to the server (another data is being sent while using NetNTLM-v2).<br \/>\n6 \u2013 The server tries to encrypt the challenge as well using its own copy of the user\u2019s hash which is stored locally on the server in case of local authentication or pass the information to the domain controller in case of domain authentication, comparing it to the challenge-response, if equal then the login is successful.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"1-2_negotiation_requestresponse\"><\/span>1-2 : negotiation request\/response<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>launch Wireshark and initiate the negotiation process using the following python lines<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\">from impacket.smbconnection import SMBConnection, SMB_DIALECT\r\nmyconnection = SMBConnection(\"jnkfo\",\"192.168.18.139\")<\/pre>\n<p>These couple lines represent the 1<sup>st<\/sup> two negotiation steps of the previous picture without proceeding with the authentication process.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-551\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-6.png\" alt=\"\" width=\"939\" height=\"197\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-551\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-6.png\" alt=\"\" width=\"939\" height=\"197\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-6.png 939w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-6-300x63.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-6-768x161.png 768w\" sizes=\"auto, (max-width: 939px) 100vw, 939px\" \/><\/noscript><\/p>\n<p>Using the \u201c<strong>smb or smb2<\/strong>\u201d filter<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-552\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-7.png\" alt=\"\" width=\"939\" height=\"131\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-552\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-7.png\" alt=\"\" width=\"939\" height=\"131\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-7.png 939w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-7-300x42.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-7-768x107.png 768w\" sizes=\"auto, (max-width: 939px) 100vw, 939px\" \/><\/noscript><\/p>\n<p>During the negotiation request, you will notice that the client was negotiating over SMB protocol, and yet the server replied using SMB2 and renegotiated again using SMB2!<br \/>\nIt\u2019s simply the Dialects.<br \/>\nBy inspecting the packet you will find the following<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-553\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-8.png\" alt=\"\" width=\"939\" height=\"627\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-553\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-8.png\" alt=\"\" width=\"939\" height=\"627\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-8.png 939w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-8-300x200.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-8-768x513.png 768w\" sizes=\"auto, (max-width: 939px) 100vw, 939px\" \/><\/noscript><\/p>\n<p>As mentioned earlier, the client is offering the Dialects it supports and the server picks up whatever it wants to use, by default it picks up the one with the highest level of functionality that both client and server supports.<br \/>\nIf the best is SMB2 then let it be SMB2.<br \/>\nYou can, however, enforce a certain dialect (assuming the server supports it) using<br \/>\n<code class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">Myconnection.negotiateSession(preferredDialect=\u201dNT LM 0.12\u201d)<\/code><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-554\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-9.png\" alt=\"\" width=\"939\" height=\"335\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-554\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-9.png\" alt=\"\" width=\"939\" height=\"335\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-9.png 939w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-9-300x107.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-9-768x274.png 768w\" sizes=\"auto, (max-width: 939px) 100vw, 939px\" \/><\/noscript><br \/>\nThe dialect NT LM 0.12 was sent, the server responded back using SMB, and will use the same protocol for the rest of the authentication process.<br \/>\nNeedless to say that LM response isn\u2019t supported by default anymore since windows vista\/windows server 2008.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"3_%E2%80%93_Session_Setup_Request_Type_1_message\"><\/span>3 \u2013 Session Setup Request (Type 1 message)<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-555\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-10.png\" alt=\"\" width=\"939\" height=\"295\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-555\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-10.png\" alt=\"\" width=\"939\" height=\"295\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-10.png 939w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-10-300x94.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-10-768x241.png 768w\" sizes=\"auto, (max-width: 939px) 100vw, 939px\" \/><\/noscript><br \/>\nThe following line will initiate the authentication process.<br \/>\n<code class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">myconnection.login(\"Administrator\", \"P@ssw0rd\")<\/code><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-556\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-11.png\" alt=\"\" width=\"939\" height=\"404\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-556\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-11.png\" alt=\"\" width=\"939\" height=\"404\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-11.png 939w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-11-300x129.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-11-768x330.png 768w\" sizes=\"auto, (max-width: 939px) 100vw, 939px\" \/><\/noscript><br \/>\nThe \u201cSession Setup Request\u201d packet contains information such as the [&#8216;N&#8217;, &#8216;T&#8217;, &#8216;L&#8217;, &#8216;M&#8217;, &#8216;S&#8217;, &#8216;S&#8217;, &#8216;P&#8217;, &#8216;\\0&#8217;] signature, negotiation flags indicating the options supported by the client and the <span style=\"color: #ff0000;\">NTLM Message Type<\/span> which must be <span style=\"color: #ff0000;\">1<\/span><br \/>\nAn interesting Flag is the NTLMSSP_NEGOTIATE_TARGET_INFO flag which will ask the server to send back some useful information as will be seen in step number 4<br \/>\nAnother interesting flag is the <span style=\"color: #ff0000;\">NEGOTIATE_SIGN<\/span> which has a great deal with the relay attacks as will be mentioned later.<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-557\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-12.png\" alt=\"\" width=\"939\" height=\"306\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-557\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-12.png\" alt=\"\" width=\"939\" height=\"306\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-12.png 939w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-12-300x98.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-12-768x250.png 768w\" sizes=\"auto, (max-width: 939px) 100vw, 939px\" \/><\/noscript><\/p>\n<h2><span class=\"ez-toc-section\" id=\"4_%E2%80%93_Session_Setup_Response_Type_2_message\"><\/span>4 \u2013 Session Setup Response (Type 2 message)<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-558\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-13.png\" alt=\"\" width=\"939\" height=\"375\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-558\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-13.png\" alt=\"\" width=\"939\" height=\"375\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-13.png 939w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-13-300x120.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-13-768x307.png 768w\" sizes=\"auto, (max-width: 939px) 100vw, 939px\" \/><\/noscript><\/p>\n<p>At the response, we get back the NTLMSSP signature again.<br \/>\nThe <span style=\"color: #ff0000;\">message type<\/span> must be <span style=\"color: #ff0000;\">2<\/span> in this case.<br \/>\nTarget name and the target info due to the NTLMSSP_NEGOTIATE_TARGET_INFO flag we sent earlier which provides us with some wealthy information about the target!<br \/>\nA good example is getting the domain name of exchange servers externally.<br \/>\nThe most important part is the NTLM challenge or nonce.<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-559\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-14.png\" alt=\"\" width=\"654\" height=\"350\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-559\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-14.png\" alt=\"\" width=\"654\" height=\"350\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-14.png 654w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-14-300x161.png 300w\" sizes=\"auto, (max-width: 654px) 100vw, 654px\" \/><\/noscript><\/p>\n<h2><span class=\"ez-toc-section\" id=\"5_%E2%80%93_Session_Setup_Request_Type_3_message\"><\/span>5 &#8211; Session Setup Request (Type 3 message)<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Long story short, the client needs to prove that he knows the user\u2019s password, without sending the plaintext password or even the NTLM hash directly over the network.<br \/>\nSo instead it goes through a procedure in which it creates NT-hash, uses this to encrypt the server&#8217;s challenge, sends this back along with the user name to the server.<br \/>\nThat&#8217;s how the process works in general.<\/p>\n<p>At NTLMv2, The client hashes the user\u2019s pre-entered plain text password into NTLM using the pre-mentioned algorithm to proceed with the challenge-response generation.<br \/>\nThe elements of the NTLMv2 hash are<br \/>\n&#8211; The upper-case username<br \/>\n&#8211; The domain or target name.<br \/>\nHMAC-MD5 is applied to this combination using the NTLM hash of the user\u2019s password, which makes the NTLMv2 hash.<\/p>\n<p>A blob block is then constructed containing<br \/>\n&#8211; Timestamp<br \/>\n&#8211; Client nonce (8 bytes)<br \/>\n&#8211; Target information block from type 2 message<br \/>\nThis blob block is concatenated with the challenge from type 2 message and then encrypted using the NTLMv2 hash as a key via HMAC-MD5 algorithm.<br \/>\nLastly, this output is concatenated with the previously constructed blob to form the NTLMv2-SSP challenge-response (type 3 message)<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-560\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-15.png\" alt=\"\" width=\"939\" height=\"410\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-560\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-15.png\" alt=\"\" width=\"939\" height=\"410\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-15.png 939w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-15-300x131.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-15-768x335.png 768w\" sizes=\"auto, (max-width: 939px) 100vw, 939px\" \/><\/noscript><\/p>\n<p>so basically the NTLMv2_response = HMAC-MD5(text(challenge + blob), using NTLMv2 as a key)<br \/>\nand the challenge response is NTLMv2_response + blob.<\/p>\n<p>Out of curiosity and just to know the difference between the ntlmv1 and v2, How is NTLMv1 response calculated?!<br \/>\n1 \u2013 The NTLM hash of the plaintext password is calculated as pre-mentioned, using the MD4 algorithm, so assuming that the password is P@ssw0rd, the NTLM hash will be E19CCF75EE54E06B06A5907AF13CEF42<br \/>\n2 \u2013 These 16 bytes are then padded to 21 bytes, so it becomes E19CCF75EE54E06B06A5907AF13CEF420000000000<br \/>\n3 \u2013 This value is split into three 7 bytes thirds<br \/>\n0xE19CCF75EE54E0<br \/>\n0x6B06A5907AF13C<br \/>\n0xEF420000000000<br \/>\n4 \u2013 These 3 values are used to create three 64 bits DES keys by adding parity bits after every 7 bits as usual<br \/>\nSo for the 1<sup>st<\/sup> key 0xE19CCF75EE54E0<br \/>\n11100001 10011100 11001111 01110101 11101110 01010100 11100000<br \/>\n8 parity bits will be added so it becomes<br \/>\n1110000<span style=\"color: #ff0000;\">0<\/span>1 100111<span style=\"color: #ff0000;\">0<\/span>00 11001<span style=\"color: #ff0000;\">0<\/span>111 0111<span style=\"color: #ff0000;\">0<\/span>0101 111<span style=\"color: #ff0000;\">0<\/span>01110 01<span style=\"color: #ff0000;\">0<\/span>010100 1<span style=\"color: #ff0000;\">0<\/span>11000000<br \/>\nIn Hex : 0xE0CE32EE5E7252C0<br \/>\nSame goes with the other 2 keys<br \/>\n5 \u2013 Each of the three keys is then used to encrypt the challenge obtained from Message type 2.<br \/>\n6 \u2013 The 3 results are combined to form the 24-byte NTLM response.<br \/>\nSo<span style=\"color: #ff0000;\"> in NTLMv1, there is no client nonce or timestamp being sent to the server<\/span>, keep that in mind for later.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"6_%E2%80%93_Session_Setup_Response\"><\/span>6 \u2013 Session Setup Response<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The server receives type 3 message which contains the challenge-response<br \/>\nThe server has its own copy of the user\u2019s NTLM hash, challenge, and all the other information needed to calculate its own challenge-response message.<br \/>\nThe server then compares the output it has generated with the output it got from the client.<br \/>\nNeedless to say, if the NT-Hash used to encrypt the data on the client-side, it differs from the user&#8217;s password&#8217;s NT-hash stored on the server (The user entered the wrong password), the challenge-response won&#8217;t be the same as the server&#8217;s output.<br \/>\nAnd thus user get ACCESS_DENIED or LOGON_FAILURE message<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-561\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-16.png\" alt=\"\" width=\"939\" height=\"389\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-561\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-16.png\" alt=\"\" width=\"939\" height=\"389\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-16.png 939w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-16-300x124.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-16-768x318.png 768w\" sizes=\"auto, (max-width: 939px) 100vw, 939px\" \/><\/noscript><\/p>\n<p>Unlike if the user entered the correct password, the NT-Hash will be the same, and the encryption (challenge-response) result will be the same on both sides and then the login will succeed.<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-562\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-17.png\" alt=\"\" width=\"672\" height=\"266\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-562\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-17.png\" alt=\"\" width=\"672\" height=\"266\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-17.png 672w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-17-300x119.png 300w\" sizes=\"auto, (max-width: 672px) 100vw, 672px\" \/><\/noscript><br \/>\nThat&#8217;s how the full authentication process happened without directly sending or receiving the NTLM hash or the plaintext password over the network.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"NTLM_authentication_in_a_windows_domain_environment\"><\/span>NTLM authentication in a windows domain environment<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The process is the same as mentioned before except for the fact that domain users credentials are stored on the domain controllers<br \/>\nSo the challenge-response validation [Type 3 message] will lead to establishing a Netlogon secure channel with the domain controller where the passwords are saved.<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-563\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-18.png\" alt=\"\" width=\"937\" height=\"137\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-563\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-18.png\" alt=\"\" width=\"937\" height=\"137\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-18.png 937w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-18-300x44.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Picture1-18-768x112.png 768w\" sizes=\"auto, (max-width: 937px) 100vw, 937px\" \/><\/noscript><\/p>\n<p>The server will send the domain name, username, challenge, and the challenge-response to the domain controller which will determine if the user has the correct password or not based on the hash saved at the NTDS file (unlike the previous scenario in which the hash was stored locally on the SAM).<br \/>\nSo from the server-side, you will find the following 2 extra RPC_NETLOGON messages to and from the Domain controller.<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-564\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-02-at-6.38.03-PM-1024x248.png\" alt=\"\" width=\"1024\" height=\"248\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-564\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-02-at-6.38.03-PM-1024x248.png\" alt=\"\" width=\"1024\" height=\"248\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-02-at-6.38.03-PM-1024x248.png 1024w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-02-at-6.38.03-PM-300x73.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-02-at-6.38.03-PM-768x186.png 768w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-02-at-6.38.03-PM-1536x372.png 1536w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2020\/04\/Screen-Shot-2020-04-02-at-6.38.03-PM-2048x496.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/noscript><br \/>\nand if everything is ok it will just send the session key back to the server in the RPC_NETLOGON response message.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"NTLMSSP\"><\/span>NTLMSSP<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>To fully understand that mechanism you can&#8217;t go without knowing a few things about NTLMSSP, Will discuss this in brief and dig deeper into it during the attacks part.<br \/>\nFrom <a href=\"https:\/\/en.wikipedia.org\/wiki\/NTLMSSP\">Wikipedia<\/a><\/p>\n<blockquote><p>NTLMSSP (NT LAN Manager (NTLM) Security Support Provider) is a binary messaging protocol used by the Microsoft Security Support Provider Interface (SSPI) to facilitate NTLM challenge-response authentication and to negotiate integrity and confidentiality options. NTLMSSP is used wherever SSPI authentication is used including Server Message Block \/ CIFS extended security authentication, HTTP Negotiate authentication (e.g. IIS with IWA turned on) and MSRPC services.<br \/>\nThe NTLMSSP and NTLM challenge-response protocol have been documented in Microsoft&#8217;s Open Protocol Specification.<\/p><\/blockquote>\n<p>SSP is a framework provided by Microsoft to handle that whole NTLM authentication and integrity process,<br \/>\nLet&#8217;s repeat the previous authentication process in terms of NTLMSSPI<\/p>\n<p>1 &#8211; The client gets access to the user&#8217;s credentials set via <span style=\"color: #ff0000;\">AcquireCredentialsHandle<\/span> function<br \/>\n2 &#8211; The <span style=\"color: #ff0000;\">Type 1 message<\/span> is created by calling <span style=\"color: #ff0000;\">InitializeSecurityContext<\/span> function in order to start the authentication negotiation process which will obtain an authentication token and then the message is forwarded to the server, that message contains the NTLMSSP 8 bytes signature mentioned before.<br \/>\n3 &#8211; The server receives the &#8220;<span style=\"color: #ff0000;\">Type 1 message<\/span>&#8220;, extracts the token and passes it to the <span style=\"color: #ff0000;\">AcceptSecurityContext<\/span> function which will create a local security context representing the client and generate the NTLM challenge and send it back to the client (<span style=\"color: #ff0000;\">Type 2 message<\/span>).<br \/>\n4 &#8211; The client extracts the challenge, passes it to <span style=\"color: #ff0000;\">InitializeSecurityContext<\/span> function which creates the Challenge-response (<span style=\"color: #ff0000;\">Type 3 message<\/span>)<br \/>\n5 &#8211; The server passes the <span style=\"color: #ff0000;\">Type 3 message<\/span> to the <span style=\"color: #ff0000;\">AcceptSecurityContext<\/span> function which validates if the user authenticated or not as mentioned earlier.<\/p>\n<p>These function\/process has nothing to do with the SMB protocol itself, they are related to the NTLMSSP, so they&#8217;re called whenever you&#8217;re triggering authenticating using NTLMSSP no matter the service you&#8217;re calling.<\/p>\n<p>How does NTLMSSP assure integrity?<br \/>\nTo assure integrity, SSP applies a Message Authentication Code to the message. This can only be verified by the recipient and prevent the manipulation of the message on the fly (in a MITM attack for example)<br \/>\nThe signature is generated using a secret key by the means of symmetric encryption, and that MAC can only be verified by a party possessing the key (The client and the server).<br \/>\nThat key generation varies from NTLMv1 to NTLMv2<br \/>\nAt NTLMv1 the secret key is generated using MD4(NTHash)<br \/>\nAt NTLMv2<br \/>\n1 &#8211; The NTLMv2 hash is obtained as mentioned earlier<br \/>\n2 &#8211; The NTLMv2 blob is obtained as also mentioned earlier<br \/>\n3 &#8211; The server challenge is concatenated with the blob and encrypted with HMAC-MD5 using NTLMv2 hash as a key<br \/>\n4 &#8211; That output is encrypted again with HMAC-MD5 using again NTLMv2 hash as a key HMAC-MD5(NTLMv2, OUTPUT_FROM_STEP_3)<br \/>\nAnd that&#8217;s the session key<br \/>\nYou&#8217;ll notice that to generate that key it requires to know the NThash in both cases, either in NTLMv1 or NTLMv2, the only sides owning that key are the client and the server.<br \/>\nThe MITM doesn&#8217;t own it and so can&#8217;t manipulate the message.<br \/>\nThis isn&#8217;t always the case for sure, and it has it&#8217;s own pre-requirements and so it&#8217;s own drops which will be discussed in the next parts where we&#8217;re going to dig deeper inside the internals of the authentication\/integrity process in order to gain more knowledge on how these features are abused.<\/p>\n<h1><span class=\"ez-toc-section\" id=\"Conclusion_and_references\"><\/span>Conclusion and references<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<p>We&#8217;ve discussed the difference between LM, NTHash, NTLMv1 and NTLMv2 hashes.<br \/>\nI went through the NTLM authentication process and made a quick brief about the NTLMSSP&#8217;s main functions.<br \/>\nIn the next parts, we will dig deeper into how NTLMSSP works and how can we abuse the NTLM authentication mechanism.<br \/>\nIf you believe there is any mistake or update that needs to be added, feel free to contact me at <a href=\"https:\/\/twitter.com\/0x4148\">Twitter<\/a>.<\/p>\n<p>References<br \/>\n<a href=\"http:\/\/davenport.sourceforge.net\/ntlm.html\">The NTLM Authentication Protocol and Security Support Provider<\/a><br \/>\n<a href=\"https:\/\/www.amazon.com\/Mechanics-User-Identification-Authentication-Fundamentals\/dp\/1420052195\/\">Mechanics of User Identification and Authentication: Fundamentals of Identity Management<\/a><br \/>\n<a href=\"https:\/\/docs.microsoft.com\/en-us\/openspecs\/windows_protocols\/ms-nlmp\/b38c36ed-2804-4868-a9ff-8dd3182128e4\">[MS-NLMP]: NT LAN Manager (NTLM) Authentication Protocol<\/a><br \/>\n<a href=\"https:\/\/medium.com\/@petergombos\/lm-ntlm-net-ntlmv2-oh-my-a9b235c58ed4\">LM, NTLM, Net-NTLMv2, oh my!<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In order to understand attacks such as Pass the hash, relaying, Kerberos attacks, one should have pretty good knowledge about the windows Authentication \/ Authorization process.<br \/>\nThat&#8217;s what we&#8217;re going to achieve in this series.<br \/>\nIn this part we&#8217;re discussing the different types of windows hashes and focus on the NTLM authentication process.<\/p>\n","protected":false},"author":2,"featured_media":568,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[61],"tags":[],"class_list":["entry","author-a-sultan","has-excerpt","post-531","post","type-post","status-publish","format-standard","has-post-thumbnail","category-red-teaming"],"_links":{"self":[{"href":"https:\/\/blog.redforce.io\/api\/wp\/v2\/posts\/531","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.redforce.io\/api\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.redforce.io\/api\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.redforce.io\/api\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.redforce.io\/api\/wp\/v2\/comments?post=531"}],"version-history":[{"count":9,"href":"https:\/\/blog.redforce.io\/api\/wp\/v2\/posts\/531\/revisions"}],"predecessor-version":[{"id":576,"href":"https:\/\/blog.redforce.io\/api\/wp\/v2\/posts\/531\/revisions\/576"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.redforce.io\/api\/wp\/v2\/media\/568"}],"wp:attachment":[{"href":"https:\/\/blog.redforce.io\/api\/wp\/v2\/media?parent=531"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.redforce.io\/api\/wp\/v2\/categories?post=531"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.redforce.io\/api\/wp\/v2\/tags?post=531"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}