05-17-2024, 02:30 PM
Based on the work done by synacktiv, philsmd, and others (and with the radmin3_to_hashcat.pl in mind) I've built an updated "radmin3_to_hashcat.py" that works again with Radmin v3.5. I'm now moving to working on extracting the necessary identifiers from network traces (in pcapng format)... My progress has been basically halted with the verifier (hashh).
So far, I've managed to identify and pull everything out of the trace properly:
Username (type 16): 0x2000 (not 0x1000 like in the registry)
Modulus (type 48): 0x3000
Generator (type 64): 0x4000
Salt (type 80): 0x5000
Verifier (type 96): 0x6000
However, the packet stream contains 2 verifiers (128 bytes a piece). I'm sure I'm missing some crucial piece of the puzzle here, but neither of them work with my test credentials.
Test credentials as parsed from .reg file (pass=freefree) [working]
Username: admin (610064006d0069006e00)
Salt: 52a11b9f447cc3959ae983808e0a2c1095972e8c651d319af603fc937d55afe4
Modulus: 9847fc7e0f891dfd5d02f19d587d8f77aec0b980d4304b0113b406f23e2cec58cafca04a53e36fb68e0c3bff92cf335786b0dbe60dfe4178ef2fcd2a4dd09947ffd8df96fd0f9e2981a32da95503342eca9f08062cbdd4ac2d7cdf810db4db96db70102266261cd3f8bdd56a102fc6ceedbba5eae99e6127bdd952f7a0d18a79021c881ae63ec4b3590387f548598f2cb8f90dea36fc4f80c5473fdb6b0c6bdb0fdbaf4601f560dd149167ea125db8ad34fd0fd45350dec72cfb3b528ba2332d6091acea89dfd06c9c4d18f697245bd2ac9278b92bfe7dbafaa0c43b40a71f1930ebc4fd24c9e5a2e5a4ccf5d7f51544d70b2bca4af5b8d37b379fd7740a682f
Generator: 05
Verifier: 1ca7201aab25f9ef8dc314ac8e533ce1cd6a0f959491c3cae6127894d10ee55cd99a97e620c167d6b80a9f70cf3d21864546ace2d5a6e6fd3a6cbee52eb3dda8609b32e863709655dfea56e6a30a424e1f465e52872ae86aa64a255107a6fd2cbf726552a893494ba08688d2e0a4148fe5b93491ce0b66f1d5db4d63f3c62226be616af0c3fde290c7b7c20d3410599607e9cd6f2f80eb21ca1b9e1dd58a6ac1996742773b9cddcdc2b21f460cea098ce0f7b923e4095dc2c68bfa7fd92c71eb1f96eb8351f66905d93673fb91f4b37b9fae6aa273cccd43f6ab05f9d44103112f6d1a02a08ad9a1d546af259e070bb8a1d454105386facc3adbc2d4861d9aba
Test credentials as parsed from .pcapng file (pass=freefree) [failedobviously]
Username: admin (610064006d0069006e00)
Salt: 52a11b9f447cc3959ae983808e0a2c1095972e8c651d319af603fc937d55afe4
Modulus: 9847fc7e0f891dfd5d02f19d587d8f77aec0b980d4304b0113b406f23e2cec58cafca04a53e36fb68e0c3bff92cf335786b0dbe60dfe4178ef2fcd2a4dd09947ffd8df96fd0f9e2981a32da95503342eca9f08062cbdd4ac2d7cdf810db4db96db70102266261cd3f8bdd56a102fc6ceedbba5eae99e6127bdd952f7a0d18a79021c881ae63ec4b3590387f548598f2cb8f90dea36fc4f80c5473fdb6b0c6bdb0fdbaf4601f560dd149167ea125db8ad34fd0fd45350dec72cfb3b528ba2332d6091acea89dfd06c9c4d18f697245bd2ac9278b92bfe7dbafaa0c43b40a71f1930ebc4fd24c9e5a2e5a4ccf5d7f51544d70b2bca4af5b8d37b379fd7740a682f
Generator: 05
Verifier1:5446391127264d7cd6569f83a359695d83da7ba0a1a0ab7aeec26bae75d2958db1e3347570378aba26113d065453ba77aa36c67b1c243cc78be6e87093eb034413bfc15cb73d7d9435954ab634c32358bb6ad01b9718378c0b0aac4d2d8c045f339fbfe17be6831ae8eb3cd8edd36214e6ca9b76463a535b3b707cac0aa538ec97bf0443f81378c8550c26db32c7341f025f0bb5817bd6ba26499f524e0c73a44fc91b918fb477f9f4eaf6eb45f8bab9fb07617d908e8cf5aaad619e795de9b86f51295ffce76f997a922bd60cae38647a5b7b1f78c345cf1cdeaf1e1020098490fc6a32dc90200dacc901728f95f97e67ed1976ad479db49b1154c8966a7de0
Verifier2:0c0f0af65a5c3ac4b6b861e105f3a85c6eaf5176529991c34c66ebd6c1ec221d6736624d2d89991807fb5f2c4972ab019238cf0b7bc21cb48db22bc0f4f4b544d3e8bc2d1bb67b2b29c9566e2f256ad7c33823048b175d52aae84a4f67b4c96b93abaf37b1786f398d8d031e280f333db1a86ee2912a243be9f1d2b8bcb51f499ceb9af2593c1c463cda245d0acd5477a3ce58f766baec94245ceaa7af5e0fc64574508e894f51703fc75a8175fa5d6ce3d303bd48ccfb431f102e324fa598e799da75b9321ef2748ccf2fb97cb810ce3cb46f893685acbaa3d30574bccffb9c56394010c9ae134e5059b1591c9976559075b02b5a4022d5e0931bcc61549241
Note that the verifiers are different on every capture, while the salt and everything else remains static/intact. If this means I have to crack open the .exe and start reversing, it basically means I'm done here and now. Unless of course anyone has an idea of what's going on that can help me finish this thing.
So far, I've managed to identify and pull everything out of the trace properly:
Username (type 16): 0x2000 (not 0x1000 like in the registry)
Modulus (type 48): 0x3000
Generator (type 64): 0x4000
Salt (type 80): 0x5000
Verifier (type 96): 0x6000
However, the packet stream contains 2 verifiers (128 bytes a piece). I'm sure I'm missing some crucial piece of the puzzle here, but neither of them work with my test credentials.
Test credentials as parsed from .reg file (pass=freefree) [working]
Username: admin (610064006d0069006e00)
Salt: 52a11b9f447cc3959ae983808e0a2c1095972e8c651d319af603fc937d55afe4
Modulus: 9847fc7e0f891dfd5d02f19d587d8f77aec0b980d4304b0113b406f23e2cec58cafca04a53e36fb68e0c3bff92cf335786b0dbe60dfe4178ef2fcd2a4dd09947ffd8df96fd0f9e2981a32da95503342eca9f08062cbdd4ac2d7cdf810db4db96db70102266261cd3f8bdd56a102fc6ceedbba5eae99e6127bdd952f7a0d18a79021c881ae63ec4b3590387f548598f2cb8f90dea36fc4f80c5473fdb6b0c6bdb0fdbaf4601f560dd149167ea125db8ad34fd0fd45350dec72cfb3b528ba2332d6091acea89dfd06c9c4d18f697245bd2ac9278b92bfe7dbafaa0c43b40a71f1930ebc4fd24c9e5a2e5a4ccf5d7f51544d70b2bca4af5b8d37b379fd7740a682f
Generator: 05
Verifier: 1ca7201aab25f9ef8dc314ac8e533ce1cd6a0f959491c3cae6127894d10ee55cd99a97e620c167d6b80a9f70cf3d21864546ace2d5a6e6fd3a6cbee52eb3dda8609b32e863709655dfea56e6a30a424e1f465e52872ae86aa64a255107a6fd2cbf726552a893494ba08688d2e0a4148fe5b93491ce0b66f1d5db4d63f3c62226be616af0c3fde290c7b7c20d3410599607e9cd6f2f80eb21ca1b9e1dd58a6ac1996742773b9cddcdc2b21f460cea098ce0f7b923e4095dc2c68bfa7fd92c71eb1f96eb8351f66905d93673fb91f4b37b9fae6aa273cccd43f6ab05f9d44103112f6d1a02a08ad9a1d546af259e070bb8a1d454105386facc3adbc2d4861d9aba
Test credentials as parsed from .pcapng file (pass=freefree) [failedobviously]
Username: admin (610064006d0069006e00)
Salt: 52a11b9f447cc3959ae983808e0a2c1095972e8c651d319af603fc937d55afe4
Modulus: 9847fc7e0f891dfd5d02f19d587d8f77aec0b980d4304b0113b406f23e2cec58cafca04a53e36fb68e0c3bff92cf335786b0dbe60dfe4178ef2fcd2a4dd09947ffd8df96fd0f9e2981a32da95503342eca9f08062cbdd4ac2d7cdf810db4db96db70102266261cd3f8bdd56a102fc6ceedbba5eae99e6127bdd952f7a0d18a79021c881ae63ec4b3590387f548598f2cb8f90dea36fc4f80c5473fdb6b0c6bdb0fdbaf4601f560dd149167ea125db8ad34fd0fd45350dec72cfb3b528ba2332d6091acea89dfd06c9c4d18f697245bd2ac9278b92bfe7dbafaa0c43b40a71f1930ebc4fd24c9e5a2e5a4ccf5d7f51544d70b2bca4af5b8d37b379fd7740a682f
Generator: 05
Verifier1:5446391127264d7cd6569f83a359695d83da7ba0a1a0ab7aeec26bae75d2958db1e3347570378aba26113d065453ba77aa36c67b1c243cc78be6e87093eb034413bfc15cb73d7d9435954ab634c32358bb6ad01b9718378c0b0aac4d2d8c045f339fbfe17be6831ae8eb3cd8edd36214e6ca9b76463a535b3b707cac0aa538ec97bf0443f81378c8550c26db32c7341f025f0bb5817bd6ba26499f524e0c73a44fc91b918fb477f9f4eaf6eb45f8bab9fb07617d908e8cf5aaad619e795de9b86f51295ffce76f997a922bd60cae38647a5b7b1f78c345cf1cdeaf1e1020098490fc6a32dc90200dacc901728f95f97e67ed1976ad479db49b1154c8966a7de0
Verifier2:0c0f0af65a5c3ac4b6b861e105f3a85c6eaf5176529991c34c66ebd6c1ec221d6736624d2d89991807fb5f2c4972ab019238cf0b7bc21cb48db22bc0f4f4b544d3e8bc2d1bb67b2b29c9566e2f256ad7c33823048b175d52aae84a4f67b4c96b93abaf37b1786f398d8d031e280f333db1a86ee2912a243be9f1d2b8bcb51f499ceb9af2593c1c463cda245d0acd5477a3ce58f766baec94245ceaa7af5e0fc64574508e894f51703fc75a8175fa5d6ce3d303bd48ccfb431f102e324fa598e799da75b9321ef2748ccf2fb97cb810ce3cb46f893685acbaa3d30574bccffb9c56394010c9ae134e5059b1591c9976559075b02b5a4022d5e0931bcc61549241
Note that the verifiers are different on every capture, while the salt and everything else remains static/intact. If this means I have to crack open the .exe and start reversing, it basically means I'm done here and now. Unless of course anyone has an idea of what's going on that can help me finish this thing.