Breaking News

Lsass NTLM Authentication Backdoor

How it Works

First, the DLL is injected into the lsass.exe process, and will get started hooking authentication WinAPI calls. The focused function is MsvpPasswordValidate(), situated in NtlmShared.dll. Throughout the pursuit of not being detected, the hooked function will identify the original function and allow for the usual flow of authentication. Best after seeing that authentication has failed will the hook alternate out the real NTLM hash with the backdoor hash for comparison.


Nosferatu should be compiled as a 64 bit DLL. It is going to should be injected the usage of the a DLL Injector with SeDebugPrivilege.

You are able to see it loaded the usage of Procexp:


Login example the usage of Impacket:

Stumbling blocks

In an Full of life Checklist environment, authentication by way of RDP, runas, or the lock show does not art work with the nosferatu password. Authentication the usage of SMB, WinRM, and WMI remains to be conceivable.

In a non-AD environment, authentication works for all aspects.

Leave a Reply

Your email address will not be published. Required fields are marked *

Donate Us