nettitude/ETWHash

Article Excerpt

About ETWHash is a C# POC that is able to extract NetNTLMv2 hashes of incoming authentications via SMB, by consuming ETW events from the Microsoft-Windows-SMBServer provider {D48CE617-33A2-4BC3-A5C7-11AA4F29619E} Notes Administrative privileges required Usage Usage: EtwHash.

property
value
tags
github-repo,offensive-tradecraft,tool-adversary,tradecraft-tool
url
original_word_count
161

Long Summary

ETWHash is a C# POC (Proof of Concept) that is able to extract NetNTLMv2 hashes of incoming authentications via SMB (Server Message Block). It does this by consuming ETW (Event Tracing for Windows) events from the Microsoft-Windows-SMBServer provider. Administrative privileges are required to use the tool.

The tool is used by entering a time in seconds as an argument. For example, ‘EtwHash.exe 60’ will start monitoring the ETW provider for 60 seconds. The output of the tool is a NetNTLMv2 hash.

The article also provides useful references for further reading. These include a blog post on tampering with Windows Event Tracing, as well as several Github repositories. These repositories include EtwExplorer, WinTools, and SilkETW.

The code for ETWHash is based on the work of Lefty @lefterispan, a member of the Nettitude Red Team. The article ends with a shout out to the Nettitude Red Team.

ETWHash is a useful tool for extracting NetNTLMv2 hashes of incoming authentications via SMB. It requires administrative privileges to use, and the output is a NetNTLMv2 hash. The article provides useful references and credits the work of Lefty @lefterispan and the Nettitude Red Team.

This is a comprehensive summary of the article.

Short Summary

📓 nettitude/ETWHash

👉🏽 About ETWHash is a C# POC that is able to extract NetNTLMv2 hashes of incoming authentications via SMB, by consuming ETW events from the Microsoft-Windows-SMBServer provider {D48CE617-33A2-4BC3-A5C7-11AA4F29619E} Notes Administrative privileges required Usage Usage: EtwHash. 👉🏽 ETWHash is a C# POC that extracts NetNTLMv2 hashes via SMB. 👉🏽 The tool consumes ETW events from the Microsoft-Window-SMBServer provider. 👉🏽 Administrative privileges are required to use the tool. 👉🏽 The tool can be used by entering a time in seconds as an argument. 👉🏽 The output is a NetNTLMv2 hash. 👉🏽 The article provides useful references for further reading. 👉🏽 The references include a blog post on tampering with Windows Event Tracing. 👉🏽 The references also include several Github repositories. 👉🏽 The code for ETWHash is based on the work of Lefty @lefterispan. 👉🏽 The article acknowledges the Nettitude Red Team for their contributions.

#ETWHash #NetNTLMv2 #SMB #ETW #AdministrativePrivileges #Lefty #NettitudeRedTeam #References #UsefulTool