pyrdp icon indicating copy to clipboard operation
pyrdp copied to clipboard

Published 20 hours ago verified publisher icon GoSecure

Problematic logging of some NetNTLMv2 exchanges

Open obilodeau opened this issue 3 years ago • 0 comments

In honeypots, we witnessed NetNTLM entries that are malformed. They have an additional ":" in them.

Example entries:

SQL:JINGLEBELLS87!:::108f4b48bee84337:e2d703be57bc4608552e5d6cd6fdf0ee:010100000000000080008cbbf896d80197039341ec7114610000000002001e0045004300320041004d0041005a002d004c00350052003200360043004c0001001e0045004300320041004d0041005a002d004c00350052003200360043004c0004001e0045004300320041004d0041005a002d004c00350052003200360043004c0003001e0045004300320041004d0041005a002d004c00350052003200360043004c0007000800153388b9f896d80100000000
SBSADMIN:SBSA20210:::3107a6a61e2de1e2:a721cb7c500c54c6fa94426e56d91414:01010000000000008013a606f996d8012af30ece20e47a9a0000000002001e0045004300320041004d0041005a002d004c00350052003200360043004c0001001e0045004300320041004d0041005a002d004c00350052003200360043004c0004001e0045004300320041004d0041005a002d004c00350052003200360043004c0003001e0045004300320041004d0041005a002d004c00350052003200360043004c00070008006148c704f996d80100000000
SQL:MIHAEL_555:::d0dd2bedb36b00d4:509c6268481c2a679aaf13f10ac09121:0101000000000000006c2a13f996d801b38fb6fe696d4ad50000000002001e0045004300320041004d0041005a002d004c00350052003200360043004c0001001e0045004300320041004d0041005a002d004c00350052003200360043004c0004001e0045004300320041004d0041005a002d004c00350052003200360043004c0003001e0045004300320041004d0041005a002d004c00350052003200360043004c000700080016892011f996d80100000000

I'm not 100% sure but I think that logging like this is naive:

image

The extra : could come from there and maybe we should have logged workstation or some other thing in there. I'm not sure, will have to look at it later.

Could also be malformed clients since I couldn't manage to crack these hashes.

obilodeau avatar Aug 23 '22 15:08 obilodeau