• caglararli@hotmail.com
  • 05386281520

Using Hydra on a NTLM authentication

Çağlar Arlı      -    58 Views

Using Hydra on a NTLM authentication

I'm learning Active Directory attacks and in one of the labs we are given the example of gaining the initial foothold in an AD system via NetNTLM by performing a password spraying attack. For the purpose of the lab we are given a custom python script which performs the attack but told we could also use Hydra. The login form we are attacking is not an actual HTML form but rather one of those popups (not sure what it's called so here is a screenshot):

enter image description here

Using ZAP I have gathered that this uses a GET request in the following format (this is an example of an invalid login which returns a 401 response):

GET http://ntlmauth.za.tryhackme.com/ HTTP/1.1
host: ntlmauth.za.tryhackme.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Authorization: NTLM TlRMTVNTUAADAAAAGAAYAGgAAADOAM4AgAAAAAAAAABAAAAAEgASAEAAAAAWABYAUgAAAAAAAAAAAAAABYIIAHMAbwBtAGUAdABoAGkAbgBnAFcATwBSAEsAUwBUAEEAVABJAE8ATgA/AKlVMdZVUPwI+iuaumMR9dJIk1kSMz6zINYs7Wq71ERMgu22XsSOAQEAAAAAAAAA313vMi7aAcXmbbG1eauYAAAAAAIABABaAEEAAQAMAFQASABNAEkASQBTAAQAIAB6AGEALgB0AHIAeQBoAGEAYwBrAG0AZQAuAGMAbwBtAAMALgBUAEgATQBJAEkAUwAuAHoAYQAuAHQAcgB5AGgAYQBjAGsAbQBlAC4AYwBvAG0ABQAgAHoAYQAuAHQAcgB5AGgAYQBjAGsAbQBlAC4AYwBvAG0ABwAIAJtGh/AyLtoBAAAAAA==

I have used Hydra many times before to attack mainly POST requests. I am trying to figure out how to leverage Hydra to attack this GET request. It appears there is some sort of encoding taking place but I can't figure out what it is.