Nosferatu is a Lsass NTLM Authentication Backdoor
How It Works
First, the DLL is injected into the lsass.exe
process, and will begin hooking authentication WinAPI calls. The targeted function is MsvpPasswordValidate()
, located in NtlmShared.dll
. In the pursuit of not being detected, the hooked function will call the original function and allow for the normal flow of authentication. Only after seeing that authentication has failed will the hook swap out the actual NTLM hash with the backdoor hash for comparison.
Nosferatu must be compiled as a 64 bit DLL. It must be injected using the a DLL Injector with SeDebugPrivilege.
You can see it loaded using Procexp:
Login example using Impacket:
Burrow is an open source tool for burrowing through firewalls, built by teenagers at Hack Club.…
Simple golang webserver that listens for basic auth or post requests and sends a notification…
Nutek Security Platform for macOS and Linux operating systems. Tools for hackers, bug hunters and…
Welcome to SecureSphere Labs, your go-to destination for a curated collection of powerful hacking tools…
All in one Docker-based workstation with hacking tools for Pentesting and offsec Labs by maintained…
Got it! Below is the updated README.md file with instructions for downloading the project on…