Nosferatu – Lsass NTLM Authentication Backdoor

Lsass NTLM Authentication Backdoor

How it Works

First, the DLL is injected into the lsass.exe process, and will begin hooking authentication WinAPI calls. The targeted function is MsvpPasswordValidate(), located in NtlmShared.dll. In the pursuit of not being detected, the hooked function will call the original function and allow for the normal flow of authentication. Only after seeing that authentication has failed will the hook swap out the actual NTLM hash with the backdoor hash for comparison.

Usage

Nosferatu must be compiled as a 64 bit DLL. It must be injected using the a DLL Injector with SeDebugPrivilege.

AVvXsEiObc6wHhPJYGIR687zUqigXSeLpv5aeI8ire64qFCiH1qXrZxvdca P8INw74gOSoEQsmqXCN8616k9fYlmXD0oL8jXF3QyuAWLCg9Iy42OHRvrFydfwDaxM3mfYgNLoAhb3PVJTn7WR DRdsaVrd8i D1FTP6KAVHO3Lohe76skJGr3FEQf0xeNf93A=w640 h85

You can see it loaded using Procexp:

AVvXsEgbZ778uoNS0MVfxeqWPc9SUVti6JdeVsABaRvVUja00F7XTMQclw0itUP5o ngU6hjMj5qGK yLsJow3KZXCVUF7b0kKsE21ZMXg4MdLFwq1rNlROs2 Vf1YeXY5vcKMYyMxuhVBVZiJzoKuAiUqlWZENKrg2zTybPEjBqYjLh7netPegzyi5AF6t20A=w640 h440

 

Login example using Impacket:

AVvXsEg2JJLIEgEZ0c5EOL9UhbhmDzNrD8CUeuOTt9LGUxZKnektJiZP9H5vSlnFnLuqWT17 ZFNkQU10lSNbf5pBF2UtnQ3euThDfPDV8TT1pHv7pOp B7E034FoacCpID3ZATPKrj0OfDGKomUwIGNah8vsFyWecgE3uGTAA5Clu pO3M6AebIbfbXVaZHQ=w640 h140

Limitations

In an Active Directory environment, authentication via RDP, runas, or the lock screen does not work with the nosferatu password. Authentication using SMB, WinRM, and WMI is still possible.

In a non-AD environment, authentication works for all aspects.

click here to read full Article

Read More on Pentesting Tools

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: