NTLMv2 Verification Using Linux(rpcclient&regshell)

metallica1973 · 08-15-2012, 03:24 PM

How can one verify that a windows system is using NTLMv2 using linux? I have used the tools:

Code:

rpcclient
regshell

but cannot seem to find what I am looking for. I dont know what exact registry key string to look for and if so I would use regshell and it would make it rather easy for verification:

Code:

regshell -b rpc -R "ncacn_np:192.168.1.1" -U "testuser"
HKEY_CLASSES_ROOT\> predef HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE\> list
K HARDWARE
K SAM
K SECURITY
K SOFTWARE
K SYSTEM

Using rpcclient I can browse around but to no evail

Code:

rpcclient \\\\192.168.1.1 -U testuser
rpcclient $> samquerysecobj
revision: 1
type: 0x8004: SEC_DESC_DACL_PRESENT SEC_DESC_SELF_RELATIVE 
DACL
	ACL	Num ACEs:	2	revision:	2
	---
	ACE
		type: ACCESS ALLOWED (0) flags: 0x00 
		Specific bits: 0x31
		Permissions: 0x20031: READ_CONTROL_ACCESS 
		SID: S-1-1-0

	ACE
		type: ACCESS ALLOWED (0) flags: 0x00 
		Specific bits: 0x3f
		Permissions: 0xf003f: WRITE_OWNER_ACCESS WRITE_DAC_ACCESS READ_CONTROL_ACCESS DELETE_ACCESS 
		SID: S-1-5-32-544

rpcclient $> querydominfo
Domain:		TESTSERVER
Server:		
Comment:	
Total Users:	56
Total Groups:	0
Total Aliases:	11
Sequence No:	1
Force Logoff:	-1
Domain Server State:	0x1
Server Role:	ROLE_DOMAIN_PDC
Unknown 3:	0x1

Any Suggestions

ggallozz · 08-16-2012, 08:16 AM

perhaps wireshark o Nmap could help you

metallica1973 · 08-16-2012, 09:51 AM

Thanks for the reply. I made progress and found the key value that will show you if the system is configured to use NTLMv2

Code:

“HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\LMCompatibilityLevel”

http://technet.microsoft.com/en-us/l.../cc960646.aspx
http://atc.caltech.edu/node/402

So if the system has this key value, you can view this via:

Code:

regshell -b rpc -R "ncacn_np:192.168.1.155" -U "TESTNETWORK.local\testadmin" 
Password for [TESTNETWORK.LOCAL\testadmin]:
HKEY_CLASSES_ROOT\> predef HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE\> ck "SYSTEM\CurrentControlSet\Control\Lsa"
New path is: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa> list
K AccessProviders
K Audit
K Data
K GBG
K JD
K Kerberos
K MSV1_0
K Skew1
K SSO
K SspiCache
V "Authentication Packages" REG_MULTI_SZ (null)
V "Bounds" REG_BINARY 0030000000200000
V "Security Packages" REG_MULTI_SZ (null)
V "ImpersonatePrivilegeUpgradeToolHasRun" REG_DWORD 0x00000001
V "LsaPid" REG_DWORD 0x000002d0
V "SecureBoot" REG_DWORD 0x00000001
V "auditbaseobjects" REG_DWORD 0x00000000
V "crashonauditfail" REG_DWORD 0x00000000
V "disabledomaincreds" REG_DWORD 0x00000000
V "everyoneincludesanonymous" REG_DWORD 0x00000000
V "fipsalgorithmpolicy" REG_DWORD 0x00000000
V "forceguest" REG_DWORD 0x00000001
V "fullprivilegeauditing" REG_BINARY 00
V "limitblankpassworduse" REG_DWORD 0x00000001
V "lmcompatibilitylevel" REG_DWORD 0x00000000
V "nodefaultadminowner" REG_DWORD 0x00000001
V "nolmhash" REG_DWORD 0x00000000
V "restrictanonymous" REG_DWORD 0x00000000
V "restrictanonymoussam" REG_DWORD 0x00000001
V "Notification Packages" REG_MULTI_SZ (null)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa> print "lmcompatibilitylevel"
REG_DWORD
0x00000000

Now my question is, how can I print this in a oneliner? I have tried:

Code:

regshell -b rpc -R "ncacn_np:192.168.0.155" -U "TESTNETWORK.local\testadmin" -c "predef HKEY_LOCAL_MACHINE;ck SYSTEM\CurrentControlSet\Control\Lsa; print "lmcompatibilitylevel" "

but to no evail. Any ideas?? Is there a perl module for querying and checking registry entries?

ggallozz · 08-20-2012, 08:20 AM

Quote:

Originally Posted by metallica1973

.../... Is there a perl module for querying and checking registry entries?

That's not on my knowledge domain, but perhaps you can find some useful hint here