Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

I am unable to get NTLM Hashes using Inveigh using WinPwn #44

Open
IAMinZoho opened this issue Jul 10, 2022 · 5 comments
Open

I am unable to get NTLM Hashes using Inveigh using WinPwn #44

IAMinZoho opened this issue Jul 10, 2022 · 5 comments
Labels
help wanted Extra attention is needed

Comments

@IAMinZoho
Copy link

I did check the directory but no file is created. Nothing that shows the ntlm hashes. I tried editing the invoke-Inveigh command with FileOutput -Disabled but still couldn't make it work.
Are there any logs that I can share? I did see that the Inveigh module of WinPwn would open a new PS Script process but going through some earlier issues (posted in Github), I learned that AMSI bypass was not getting applied to Inveigh. So I assume that Inveigh loads and runs on the existing PS session but still I am unable to get the NTLM hashes. No output file in the Directory.

Any help would be greatly appreciated!
@S3cur3Th1sSh1t
Copy link
Owner

It’s not loaded in a new Powershell process anymore. I did change that, so it’s running in the current process where the AMSI bypass definitely was applied before.

I cannot troubleshoot that for you, as I don’t know if any hashes were gathered at all. 🤷‍♂️ Maybe there were no incoming connections?

@S3cur3Th1sSh1t S3cur3Th1sSh1t added the help wanted Extra attention is needed label Jul 24, 2022
@IAMinZoho
Copy link
Author

Thanks for replying. I did start 2 inveigh sessions, one from Robertson's repo and the other from Winpwn. The screenshot is from a Win 10 PC - MNPC1 (192.168.200.20) and on a domain controller - MNDC (192.168.200.2), I tried accessing MNPC1 in 2 ways from MNDC:

  1. from run window --> \192.168.200.20
  2. from a browser window --> http://192.168.200.20

I did get NTLM hashes on Inveigh session from Robertson, but not on the WinPwn session:

1234

Please let me know if I can share any other details.

@S3cur3Th1sSh1t
Copy link
Owner

What if you use -ConsoleOutput No in Inveigh? Because I’m using that in WinPwn, as you can see on the screenshot the output directory is one sub directory of your desktop folder. The hashes should be there in a text file.

@S3cur3Th1sSh1t
Copy link
Owner

WinPwn just doesn’t print the hashes out in the console window. Can you verify that the hashes are in a text file in the screenshot folder?

@IAMinZoho
Copy link
Author

Thanks for taking the time. Yes, I did check the output directory for WinPwn but could not find any text files. As per your instructions, I did use the same configuration on Inveigh.ps1:
Invoke-Inveigh -ConsoleOutput N -NBNS Y -mDNS Y -HTTPS Y -Proxy Y -FileOutput Y

I got the text files, please check the screenshot:

Sir

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@S3cur3Th1sSh1t @IAMinZoho