hashcat Forum

Full Version: Creating NetNTLMv2 hashes
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
It took me a while to find/figure this out recently so I thought I'd post it here in case it helped anyone else. If nothing else I'll probably forget the details in a couple weeks and I can just use it to remind myself. Smile

NetNTLMv2 hash format (-m 5600) appears to have been introduced in a hashcat-0.43 beta and was originally aligned with JtR as follows:

$NETNTLMv2$USERDOMAIN$1122334455667788$d2d10fab083e422123c693587315814a$0101000000000000e3a17e6c2600ce0191f59c598f8c6f4d00000000020000000000000000000000

By the time 0.43 was officially released this had been changed to its current format, which is aligned with l0phtcrack:

test::LAB:1122334455667788:3b482ca7d786401abd40c4bce7f1c283:0101000000000000ebfbd8bf8d24ce01a31384a499a4935800000000020000000000000000000000

The format of this layout is:

Username:Big Grinomain:Challenge:NTLMv2hash(aka HMAC-MD5):blob(entire NTLMv2 response except the HMAC that was in the preceding field)

If you're using Cain to capture/process these negotiations, there is no export functionality so you'll need to take them directly from the NTLMv2.LST file which is located here:

%PROGRAMFILES%\Cain\NTLMv2.LST

To put them in the lc/hashcat format, you can use:

awk -v OFS=":" -F "\t" '{print($1,"",$2,$5,$4,$6)}' NTLMv2.LST > ntlmv2.hashes

Hope someone finds this useful.
BTW, anyone know why the double colon after the user name?

test::LAB:112...

Was there originally some other field meant to go there that is now omitted, or just some quirk of the format decision they made?

It almost seems like that's where the password should go if it was known, but even if that was the original intent I can't really say I like the idea of hashcat changing its output format just for this one hash style.

If that was the original intent, you can use:

awk -v OFS=":" -F "\t" '{print($1,$3,$2,$5,$4,$6)}' NTLMv2.LST

to accomplish this; hashcat just ignores that field and will try to crack it all the same. Could be useful for sanity/regression testing I suppose.

Anyway, doesn't really matter, just curious.