🐾 - 🚨 Deprecated NTLMv1 authentication performed [Obsolete Windows 🪟 XP or prior version] - Possible Responder 🎩 LM downgrade for Net-NTLMv1 hash capturing 🥷 - S0174

SID: 3300142Rev: 60 views
Sourcepawpatrules
CreatedAugust 4, 2023
UpdatedFebruary 18, 2024
Classificationcredential-theft
alert tcp any any -> any 445 (msg:"🐾 - 🚨 Deprecated NTLMv1 authentication performed [Obsolete Windows 🪟 XP or prior version] - Possible Responder 🎩 LM downgrade for Net-NTLMv1 hash capturing 🥷 - S0174"; flow:to_server, stateless; content:"|ff 53 4d 42 73 00 00 00 00|"; fast_pattern; content:"|00 00 00 00|"; content:"|00 00 00 00|"; distance:4; content:"|d4 00 00 00|"; distance:0; content:!"|01 01|"; content:!"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; reference:url,https://www.cert.ssi.gouv.fr/actualite/CERTFR-2016-ACT-039/; reference:url,https://g-laurent.blogspot.com/; reference:url,https://github.com/lgandx/Responder; reference:url,https://attack.mitre.org/software/S0174/; reference:url,https://medium.com/@petergombos/lm-ntlm-net-ntlmv2-oh-my-a9b235c58ed4; reference:url,https://support.microsoft.com/en-us/topic/security-guidance-for-ntlmv1-and-lm-network-authentication-da2168b6-4a31-0088-fb03-f081acde6e73; metadata:created_at 2023_08_04, updated_at 2024_02_18; sid:3300142; rev:6; classtype:credential-theft;)

References

urlhttps://www.cert.ssi.gouv.fr/actualite/CERTFR-2016-ACT-039/
urlhttps://g-laurent.blogspot.com/
urlhttps://github.com/lgandx/Responder
urlhttps://attack.mitre.org/software/S0174/
urlhttps://medium.com/@petergombos/lm-ntlm-net-ntlmv2-oh-my-a9b235c58ed4
urlhttps://support.microsoft.com/en-us/topic/security-guidance-for-ntlmv1-and-lm-network-authentication-da2168b6-4a31-0088-fb03-f081acde6e73

Metadata

created at2023_08_04
updated at2024_02_18

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!