Add ESS downgrade parameter

[Hackndo]

Description

This is a PoC PR that adds a --disable-ess parameter to unset an NTLM negotiation flag..

As per MS documentation (thank you @cnotin for pointing me to the right direction), this information is provided:

Unlike plain NTLMv1 or NTLMv2, NTLMv1 w/ ESS is actually negotiated between a client and a server (NTLMv1 and NTLMv2 are configured using security key LmCompatibilityLevel). It is negotiated by setting a bit in NegotiateFlags, called P bit (MS-NLMP, section 2.2.2.5). Another name for this field is NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY. Yet another name for this flag that I found is “Negotiate NTLM2 Key”.

Adding --disable-ess to Responder CLI will unset the Negotiate Extended Security flag.

When this flag is not set, and lmcompatibilitylevel is set to 0, 1 or 2, then ESS won't be used, and NTLMv1 hash will be crackable using https://crack.sh

Example

Without using this flag

WITH this flag

This hash can be uploaded to crack.sh to find corresponding NT hash.

I know I leaked some hashes, it doesn't matter, it's on my lab

[mpgn]

@cnotin is on the red team side for sure

[cnotin]

"not guilty" 😉

[Hackndo]

@lgandx as per discussed, I added two commits

[lgandx]

Ready to go.
--lm was already doing it, but as discussed not everyone uses --lm and it's definitely worth having it on most recent default SMBv1 dialect.
Thanks for your submission!

[Hackndo]

It's actually working for SMBv1 and SMBv2

[mpgn]