May 28, 2022
Nosferatu-Lsass-NTLM-Authentication-Backdoor.

How Does It Work?

  • The DLL is first injected into the lsass.exe process, where it will begin intercepting authentication WinAPI calls.
  • MsvpPasswordValidate(), found in NtlmShared.dll, is the targeted function.
  • In order to avoid being noticed, the hooked function will call the original function and let the authentication process to proceed normally.
  • The hook will only swap out the true NTLM hash with the backdoor hash for comparison after it has determined that authentication has failed.

 

Disclaimer: The intended use for the tool is strictly educational and should not be used for any other purposes.

 

Download Link: https://github.com/kindtime/nosferatu

Leave a Reply

Your email address will not be published.