Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Problematic logging of some NetNTLMv2 exchanges #407

Open
obilodeau opened this issue Aug 23, 2022 · 0 comments
Open

Problematic logging of some NetNTLMv2 exchanges #407

obilodeau opened this issue Aug 23, 2022 · 0 comments
Labels
bug Something isn't working investigate Needs more thought / experience
Milestone

Comments

@obilodeau
Copy link
Collaborator

In honeypots, we witnessed NetNTLM entries that are malformed. They have an additional ":" in them.

Example entries:

SQL:JINGLEBELLS87!:::108f4b48bee84337:e2d703be57bc4608552e5d6cd6fdf0ee:010100000000000080008cbbf896d80197039341ec7114610000000002001e0045004300320041004d0041005a002d004c00350052003200360043004c0001001e0045004300320041004d0041005a002d004c00350052003200360043004c0004001e0045004300320041004d0041005a002d004c00350052003200360043004c0003001e0045004300320041004d0041005a002d004c00350052003200360043004c0007000800153388b9f896d80100000000
SBSADMIN:SBSA20210:::3107a6a61e2de1e2:a721cb7c500c54c6fa94426e56d91414:01010000000000008013a606f996d8012af30ece20e47a9a0000000002001e0045004300320041004d0041005a002d004c00350052003200360043004c0001001e0045004300320041004d0041005a002d004c00350052003200360043004c0004001e0045004300320041004d0041005a002d004c00350052003200360043004c0003001e0045004300320041004d0041005a002d004c00350052003200360043004c00070008006148c704f996d80100000000
SQL:MIHAEL_555:::d0dd2bedb36b00d4:509c6268481c2a679aaf13f10ac09121:0101000000000000006c2a13f996d801b38fb6fe696d4ad50000000002001e0045004300320041004d0041005a002d004c00350052003200360043004c0001001e0045004300320041004d0041005a002d004c00350052003200360043004c0004001e0045004300320041004d0041005a002d004c00350052003200360043004c0003001e0045004300320041004d0041005a002d004c00350052003200360043004c000700080016892011f996d80100000000

I'm not 100% sure but I think that logging like this is naive:

image

The extra : could come from there and maybe we should have logged workstation or some other thing in there. I'm not sure, will have to look at it later.

Could also be malformed clients since I couldn't manage to crack these hashes.

@obilodeau obilodeau added bug Something isn't working investigate Needs more thought / experience labels Aug 23, 2022
@obilodeau obilodeau added this to the v1.3.0 milestone Aug 23, 2022
@obilodeau obilodeau modified the milestones: v1.3.0, v2.0.1 Dec 14, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working investigate Needs more thought / experience
Projects
None yet
Development

No branches or pull requests

1 participant