Network security: LAN Manager authentication level is the GPO responsible for re-introducing NTLMv1, disabled by default since Windows Server 2008 but administrators may re-enable it for backwards compatibility. The most common vulnerable configuration would look like this from the GPO:
Enabling the policy creates the registry key:
`HKLM\\System\\CurrentControlSet\\Control\\Lsa\\LmCompatibilityLevel`
0, 1, and 2 are the values that result in NTLMv1 being enabled.
If we have access to a domain-joined machine we can check whether the domain is vulnerable by querying the key:
reg query HKLM\\System\\CurrentControlSet\\Control\\Lsa /v LmCompatibilityLevel
Otherwise we launch responder with the SMB server enabled, then either wait until a host connects to us as a result of the LLMNR/NBT-NS poisoning or, if we have domain credentials, fire up coercer.
TO DO…