Nosferatu is a Lsass NTLM Authentication Backdoor
How It Works
First, the DLL is injected into the lsass.exe process, and will begin hooking authentication WinAPI calls. The targeted function is MsvpPasswordValidate(), located in NtlmShared.dll. In the pursuit of not being detected, the hooked function will call the original function and allow for the normal flow of authentication. Only after seeing that authentication has failed will the hook swap out the actual NTLM hash with the backdoor hash for comparison.
Nosferatu must be compiled as a 64 bit DLL. It must be injected using the a DLL Injector with SeDebugPrivilege.
You can see it loaded using Procexp:
Login example using Impacket:
Artificial Intelligence (AI) is changing how industries operate, automating processes, and driving new innovations. However,…
Image credit:pexels.com If you think back to the early days of personal computing, you probably…
In an era defined by technological innovation, the way people handle and understand money has…
The online world becomes more visually driven with every passing year. Images spread across websites,…
General Working of a Web Application Firewall (WAF) A Web Application Firewall (WAF) acts as…
How to Send POST Requests Using curl in Linux If you work with APIs, servers,…