Nosferatu is a Lsass NTLM Authentication Backdoor
How It Works
First, the DLL is injected into the lsass.exe process, and will begin hooking authentication WinAPI calls. The targeted function is MsvpPasswordValidate(), located in NtlmShared.dll. In the pursuit of not being detected, the hooked function will call the original function and allow for the normal flow of authentication. Only after seeing that authentication has failed will the hook swap out the actual NTLM hash with the backdoor hash for comparison.
Nosferatu must be compiled as a 64 bit DLL. It must be injected using the a DLL Injector with SeDebugPrivilege.
You can see it loaded using Procexp:
Login example using Impacket:
Nginx server blocks let you run more than one website on a single server. Each block…
Tor Browser is a modified version of Firefox that routes all your web traffic through the Tor…
Vagrant is a command-line tool that makes it easy to build and manage virtual machine environments.…
VMware Tools is a set of drivers and services that improves the performance of an Ubuntu…
Java developers use project management tools to automate building their applications. Apache Maven is an open source…
Running programs built for Microsoft's framework on a Linux system is easier than you think. Mono is…