nettitude/ETWHash nettitude/ETWHash

  • Stars
    star
    248
  • Rank 163,560 (Top 4 %)
  • Language
    C#
  • Created over 1 year ago
  • Updated over 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
nettitude/ETWHash
github

nettitude

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

C# POC to extract NetNTLMv1/v2 hashes from ETW provider

About

ETWHash is a C# POC that is able to extract NetNTLMv2 hashes of incoming authentications via SMB, by consuming ETW events from the Microsoft-Windows-SMBServer provider {D48CE617-33A2-4BC3-A5C7-11AA4F29619E}

Notes

  • Administrative privileges required

Usage

Usage:
EtwHash.exe [time_in_seconds]

Example:
C:\Temp\>EtwHash.exe 60

[*] Started monitoring ETW provider for 60 seconds.
nessus::LAB:D27DD3110B795705:25669980911E6CE0693E01796FA34B6E:01010000000000004C6B85AE6178D901EB33D5D6CF85093A00000000020008005700500041004400010008005700500041004400040008007700700061006400030008007700700061006400070008004C6B85AE6178D901060004000200000008003000300000000000000001000000002000003E77D791FEFF45C00D86B0D8744093A2F75712A53AC94F62AD16FF5B4AB54BAE0A0010000000000000000000000000000000000009001C0063006900660073002F003100320037002E0030002E0030002E0031000000000000000000

Useful References:

https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63

https://github.com/zodiacon/EtwExplorer

https://github.com/0xeb/WinTools/tree/master/WEPExplorer

https://github.com/mandiant/SilkETW

Code is based on the following repos:

Credits

Lefty @lefterispan - Nettitude Red Team - 2022 / 2023

Shouts to:

Nettitude RT

More Repositories

1

PoshC2

A proxy aware C2 framework used to aid red teamers with post-exploitation and lateral movement.
PowerShell
1,767
star
2

xss_payloads

Exploitation for XSS
PHP
697
star
3

PoshC2_Old

Powershell C2 Server and Implants
PowerShell
574
star
4

SharpSocks

Tunnellable HTTP/HTTPS socks4a proxy written in C# and deployable via PowerShell
C#
472
star
5

SharpWSUS

C#
429
star
6

RunPE

C# Reflective loader for unmanaged binaries.
C#
416
star
7

SimplePELoader

In-Memory PE Loader
C++
366
star
8

Prowl

Python
275
star
9

MalSCCM

C#
241
star
10

scrounger

Mobile application testing toolkit
Python
237
star
11

ShellcodeMutator

Python
232
star
12

Aladdin

C#
212
star
13

Tartarus-TpAllocInject

C++
172
star
14

RunOF

C#
138
star
15

Invoke-PowerThIEf

The PowerThIEf, an Internet Explorer Post Exploitation library
PowerShell
130
star
16

DLLInjection

DLL Injection Library & Tools
C++
70
star
17

SharpConflux

C#
63
star
18

zeropress

A dumb script for finding dumb coding errors in WordPress plugins
Python
55
star
19

CVE-2024-20356

This is a proof of concept for CVE-2024-20356, a Command Injection vulnerability in Cisco's CIMC.
Python
47
star
20

CVE-2024-25153

Proof-of-concept exploit for CVE-2024-25153.
Python
43
star
21

defensive-scripts

Defence Against the Dark Arts
34
star
22

InlineFunctionHooking

Windows Inline function hooking library targeted at MSVC
C
28
star
23

pwnlyoffice

Exploit ONLYOFFICE Implementations
JavaScript
24
star
24

PoshC2_IOCs

A list of IOCs applicable to PoshC2
YARA
23
star
25

SyscallsExtractor

C#
23
star
26

logparser

SQL scripts for querying event logs
21
star
27

yasha

Python
18
star
28

metasploit-modules

Modules created by Nettitude for Metasploit
Ruby
12
star
29

hyperv-driver-thread-detection-poc

hyperv-driver-thread-detection-poc
C#
11
star
30

PoshC2_Shellcode

Supporting projects for PoshC2
C
11
star
31

CVE-2022-23253-PoC

CVE-2022-23253 PoC
Python
5
star
32

PoshC2_Linux_Implant

C
4
star
33

PBind

PBind payloads for PoshC2
C#
2
star
34

secure-development-training

PHP
2
star
35

PoshC2_Core

C#
1
star
36

FComm

FComm payloads for PoshC2
C#
1
star