Breaking News

Lsass NTLM Authentication Backdoor

The way it Works

First, the DLL is injected into the lsass.exe procedure, and can get began hooking authentication WinAPI calls. The focused serve as is MsvpPasswordValidate(), positioned in NtlmShared.dll. All the way through the pursuit of now not being detected, the hooked serve as will establish the unique serve as and make allowance for the standard glide of authentication. Best after seeing that authentication has failed will the hook trade out the true NTLM hash with the backdoor hash for comparability.


Nosferatu should be compiled as a 64 bit DLL. It’ll want to be injected using the a DLL Injector with SeDebugPrivilege.

You’ll be able to see it loaded using Procexp:

Login instance using Impacket:


In an Full of life File setting, authentication by means of RDP, runas, or the lock display screen does now not paintings with the nosferatu password. Authentication using SMB, WinRM, and WMI continues to be imaginable.

In a non-AD setting, authentication works for each side.

Supply : KitPloit – PenTest Apparatus!

Leave a Reply

Your email address will not be published. Required fields are marked *

Donate Us