Bob123 Posted January 29, 2019 Share Posted January 29, 2019 Question for y'all on hashes and Win7. A little background on my setup. I have a windows machine with a Kali vm, a WinXP vm, a Win7 Pro vm, and a Win7 Enterprise vm. I setup the same username and password on all windows machines and also made sure that user was part of the administrators group. So the same across the board. The hashes look like they are in two parts with a : between them. The second part seems the same but the first part is different between the WinXP vm and the Win7 Pro vm. Why is that? Both vms have an admin account and those hashes are both exactly the same. So the two hashes work but why are they different? Same user name, same member of the groups, and most importantly same password. Second question. I have a Win7 Enterprise vm running. Did exactly the same to it as I did with the Win7 Pro vm yet every time I try either of the hashes I get a STATUS_ACCESS_DENIED. What makes Enterprise different? My first setup was a Linux box using KVM with a WinXP vm and a Win7 Enterprise vm thinking it was Linux or something else going on but I can now confirm that Enterprise is the issue. If anyone has any info that would be great. If not no big deal. I'm going to create a Win7 Pro vm on my linux box and see if it works as planned. Which I assume it will. Thanks. Quote Link to comment Share on other sites More sharing options...
icarus255 Posted February 15, 2019 Share Posted February 15, 2019 Not really sure if I understood your questions and your scenarios. It would probably make more sense if you pasted the hashes here so people can see what you're talking about but I will try to answer anyway. You need to identify what hashes you are capturing first because Windows uses several authentication protocols. Compatability/group policy will determine which authentication protocol is used and subsequently the hashing algorithm. For example, Windows 7 does not support LM hashes by default but Windows XP is backward compatible so it can. NTLM hashes are not salted which means that if you you computed the "password" value into a hash value multiple times, you will always get the same resulting hash. NTLMv2 hashes on the other hand are salted which means if you converted the same password value multiple times into a hash value then you will always get a completely different looking hash each time. Identifying the hashes first will help you figure out what you can do with them because you won't be able to use ntlmv2 hashes in a pass the hash attack. Some useful reference material for identifying hashes: https://medium.com/@petergombos/lm-ntlm-net-ntlmv2-oh-my-a9b235c58ed4 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.