Help!
I’m stuck on interpreting a NetNTLMv2 result.
Context:
- Target is a Windows Server domain controller
- SMB signing is required on the DC.
- Anonymous SMB and guest access fail.
- Responder captures repeated LLMNR/NBT-NS/mDNS requests for FileServer/FileServer.local.
- I captured a NetNTLMv2 response for a domain user.
- John cracks the NetNTLMv2 response to a plaintext candidate.
- However, the plaintext fails normal authentication:
- SMB: STATUS_LOGON_FAILURE
- LDAP simple bind: error 49 / data 52e
- WinRM: login failure
- Kerbrute confirms the username exists.
- I also tested LDAP relay with ntlmrelayx, but I’m still checking whether LDAP signing/channel binding or the authentication type blocks it.
Question:
Does a cracked NetNTLMv2 response that fails SMB/LDAP/WinRM usually indicate a stale/cached NTLM response, password change, old-password NTLM behaviour, wrong domain/format issue, or something else? What would be the correct methodology to prove which case it is, without just brute forcing?