In the previous post, a Raspberry Pi Zero was modified to capture hashes (or rather NTLMv2 responses from the client).
Let’s see how hashcat can be used to crack these responses to obtain the user password. I will be using dictionary based cracking for this exercise on a Windows system.
↪Update: CVE-2016-3302 / MS16-112 patch was released by Microsoft to fix the issue.
This post is an extension to Rob Fuller’s (@mubix) work - https://room362.com/post/2016/snagging-creds-from-locked-machines/ to see how a Raspberry Pi Zero can be used for credential snagging. All credits go to @mubix for the original research. It is recommended to read mubix’s post (if you haven’t already !) before proceeding.
↪