Nosferatu is a Lsass NTLM Authentication Backdoor
How It Works
First, the DLL is injected into the lsass.exe process, and will begin hooking authentication WinAPI calls. The targeted function is MsvpPasswordValidate(), located in NtlmShared.dll. In the pursuit of not being detected, the hooked function will call the original function and allow for the normal flow of authentication. Only after seeing that authentication has failed will the hook swap out the actual NTLM hash with the backdoor hash for comparison.
Nosferatu must be compiled as a 64 bit DLL. It must be injected using the a DLL Injector with SeDebugPrivilege.
You can see it loaded using Procexp:
Login example using Impacket:
Knowing how to Check Ubuntu Version details is essential for system administration, troubleshooting, and software…
Managing a Linux server becomes much safer when you Create Sudo User accounts instead of…
Managing software on Linux becomes much easier when you know how to List Installed Packages…
Introduction Variables are one of the most important basics of Bash scripting. A variable is…
Introduction Running a Bash script in Linux is a basic but important skill for anyone…
Introduction Writing your first Bash script in Linux is one of the best ways to…