NTLMv2 Hash Theft¶
What Is NTLMv2 Hash Theft?¶
NTLMv2 hash theft (also called NTLM coercion or forced authentication) is a class of attacks that trick a Windows system into initiating NTLM authentication to an attacker-controlled server. When this happens, the victim's Net-NTLMv2 challenge/response hash is sent over the network and can be:
- Captured — for offline password cracking (hashcat mode 5600)
- Relayed — forwarded to another service to authenticate as the victim (ntlmrelayx)
This is one of the most versatile and widely-used attack techniques in Active Directory penetration testing.
The Core Mechanism¶
Every technique in this section follows the same fundamental flow:
sequenceDiagram
participant Attacker as 🔴 Attacker<br/>(Responder/ntlmrelayx)
participant Victim as 🖥️ Victim<br/>(Windows)
participant SMB as 📁 Attacker's<br/>SMB Server
Note over Attacker: Set up capture server<br/>(Responder, Inveigh, etc.)
Attacker->>Victim: Deliver trigger<br/>(file, link, coercion RPC)
Victim->>SMB: SMB Connection<br/>(automatic NTLM auth)
SMB-->>Attacker: Net-NTLMv2 Hash Captured
Note over Attacker: Crack with hashcat<br/>OR relay to target service
Why it works: Windows automatically attempts NTLM authentication when a process tries to access a UNC path (\\server\share). Many Windows features — file icons, search indexing, Office document loading, media playlists — resolve UNC paths without explicit user consent.
Capture Infrastructure¶
Before using any coercion technique, you need a server to capture the incoming authentication:
| Tool | Use Case | Command |
|---|---|---|
| Responder | Capture hashes on the wire | responder -I eth0 -v |
| Inveigh | .NET/PowerShell hash capture (on Windows) | Invoke-Inveigh -ConsoleOutput Y |
| ntlmrelayx | Relay captured auth to another target | ntlmrelayx.py -t ldaps://dc01 -smb2support |
| smbserver.py | Simple SMB capture server | impacket-smbserver share . -smb2support |
What To Do With Captured Hashes¶
Option 1: Offline Cracking¶
# hashcat — mode 5600 is Net-NTLMv2
hashcat -m 5600 captured_hashes.txt /path/to/wordlist.txt -r /path/to/rules.rule
Option 2: NTLM Relay¶
Instead of cracking, relay the authentication to another service in real-time:
# Relay to LDAP on a Domain Controller (for AD object modification)
ntlmrelayx.py -t ldaps://dc01.corp.local --escalate-user attacker
# Relay to ADCS web enrollment (ESC8 — instant Domain Admin)
ntlmrelayx.py -t http://ca01.corp.local/certsrv/certfnsh.asp --adcs --template DomainController
Option 3: Pass-the-Hash (if you crack it)¶
Once cracked, the cleartext password enables: - Pass-the-Hash with the NT hash - Kerberos ticket requests - Full authenticated access
Section Contents¶
This knowledge base section is divided into:
| Article | Focus |
|---|---|
| File-Based Coercion | Files that trigger NTLM auth when browsed, opened, or extracted — .library-ms, .url, .lnk, .theme, Office docs, PDF, media playlists, search: URI |
| Protocol-Based Coercion | RPC/DCOM-based coercion: PetitPotam, PrinterBug, DFSCoerce, ShadowCoerce, RemoteMonologue, and relay chains |
Key CVEs (2020–2026)¶
| CVE | Year | File/Vector | Interaction Required |
|---|---|---|---|
| CVE-2021-36942 | 2021 | PetitPotam (EFS RPC) | None (network) |
| CVE-2021-1678 | 2021 | NTLM relay to RPC | None (network) |
| CVE-2022-26925 | 2022 | LSA Spoofing (PetitPotam variant) | None (network) |
| CVE-2023-23397 | 2023 | Outlook calendar invite (UNC reminder sound) | Zero-click |
| CVE-2023-35636 | 2023 | Outlook "crumb" parameter | Click link |
| CVE-2024-43451 | 2024 | .theme file NTLM leak | Browse/preview |
| CVE-2024-38030 | 2024 | Theme file bypass of prior patch | Browse/preview |
| CVE-2025-24054 | 2025 | .library-ms NTLM spoofing | Extract ZIP |
| CVE-2025-24071 | 2025 | .library-ms in Explorer (zero-click on extract) | Extract ZIP |
| CVE-2026-32202 | 2026 | Explorer preview handler | Browse folder |
| Unpatched (2026) | 2026 | search: URI handler (Huntress) | Click link |
Defense Quick Reference¶
| Mitigation | Effect |
|---|---|
| Disable NTLM where possible | Eliminates the attack class entirely |
| Enforce SMB signing | Prevents relay (but not capture) |
| Restrict outbound SMB (port 445) | Prevents hash leak to external servers |
| Enable Extended Protection for Authentication (EPA) | Prevents relay to web services |
| Block .library-ms, .searchConnector-ms via email gateway | Prevents delivery of coercion files |
| Patch — keep Windows updated | Closes specific coercion vectors |
| Monitor for outbound SMB to non-DC IPs | Detects coercion in progress |