hashcat Forum
NTLM and Line Length - Printable Version

+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Deprecated; Ancient Versions (https://hashcat.net/forum/forum-46.html)
+--- Forum: Very old oclHashcat-plus Support (https://hashcat.net/forum/forum-23.html)
+--- Thread: NTLM and Line Length (/thread-2362.html)



NTLM and Line Length - Chinchilla - 06-13-2013

Hello,

I am a new user to hashcat-plus, but I want to get better. My question is about NTLM input. I have a large list of hashes in the following format:

sys:$NT$7f8fe03093ccxxxx67b109625f6bbf4b

I have tried a bunch of different formats but -m 1000 (NTLM) seems to be the only one that I can get to work, and the only way I can get it to work is to delete the username:$NT$. Other than that I get a line-length exception.

I saw another thread: (https://hashcat.net/forum/thread-2047.html) that explained the format, and it does not look like mine at all. I dont think I am using the right format, but I have tried everything windows related.

Does hashcat have a format that will support the username:$NT$?

jtr has a format 'nt' that works really well, but I want to put my GPUs to work.

Thanks,
Chinchilla


RE: NTLM and Line Length - philsmd - 06-13-2013

All formats are very well documented here: http://hashcat.net/wiki/doku.php?id=example_hashes
(with examples).

Did you try those?


RE: NTLM and Line Length - Chinchilla - 06-13-2013

(06-13-2013, 06:51 PM)philsmd Wrote: All formats are very well documented here: http://hashcat.net/wiki/doku.php?id=example_hashes
(with examples).

Did you try those?

Thanks for the speedy response.

In short yes, not all of them, but the ones that are related to windows credentials.

I should have been more clear with my problem. Without a username, the cracked hashes will just be a listing of passwords without anything to tie them to.

-m 1000 (NTLM) works, in so far as that it will not error out when I input my 32 character hash. But this gives me 2 problems:

1. Without a username, there will be no trace-ability.

2. The hashed password is relatively simple, 'Passphrase' and it is not cracking even though it is in my dictionary.

Thanks


RE: NTLM and Line Length - radix - 06-13-2013

Once you have recovered the pass you can use --username and --show to pair them back up with the username.

As for not finding the pass, verify that your dictionary does not have extra chars on the end (like a carriage return, or some funk from windows formats). To verify that the hash is legit, you can try -a 3 Passphrase and see if it will recover.


(06-13-2013, 07:06 PM)Chinchilla Wrote:
(06-13-2013, 06:51 PM)philsmd Wrote: All formats are very well documented here: http://hashcat.net/wiki/doku.php?id=example_hashes
(with examples).

Did you try those?

Thanks for the speedy response.

In short yes, not all of them, but the ones that are related to windows credentials.

I should have been more clear with my problem. Without a username, the cracked hashes will just be a listing of passwords without anything to tie them to.

-m 1000 (NTLM) works, in so far as that it will not error out when I input my 32 character hash. But this gives me 2 problems:

1. Without a username, there will be no trace-ability.

2. The hashed password is relatively simple, 'Passphrase' and it is not cracking even though it is in my dictionary.

Thanks



RE: NTLM and Line Length - mastercracker - 06-13-2013

(06-13-2013, 07:06 PM)Chinchilla Wrote: 1. Without a username, there will be no trace-ability.

2. The hashed password is relatively simple, 'Passphrase' and it is not cracking even though it is in my dictionary.

Thanks
1. When you crack it, you get HashTongueassword. You can use the hash to "link" it back. Otherwise, you can use the --username switch like radix said.

2. Make sure that the passphrase is less than 16 characters long including spaces if present.


RE: NTLM and Line Length - Chinchilla - 06-13-2013

(06-13-2013, 07:10 PM)radix Wrote: Once you have recovered the pass you can use --username and --show to pair them back up with the username.

Thanks,

I used the --username flag and did some GREP massaging and it worked on both my test 'Passphrase' and the credentials I dumped yesterday. (I am a pentester) Running like a dream right now.

I look forward to contributing to this site in the future.

Thanks again,
Chinchilla


RE: NTLM and Line Length - Chinchilla - 06-13-2013

(06-13-2013, 07:19 PM)mastercracker Wrote: 1. When you crack it, you get HashTongueassword. You can use the hash to "link" it back. Otherwise, you can use the --username switch like radix said.

2. Make sure that the passphrase is less than 16 characters long including spaces if present.

I will experiment with the 'linking' when it has cracked enough passwords. Could throw these into an excel spreadsheet and do a VLOOKUP if nothing else.

Thank you for your response, and thanks for the knowledge!


RE: NTLM and Line Length - radix - 06-13-2013

gief me your ntlms pl0x

(06-13-2013, 08:31 PM)Chinchilla Wrote:
(06-13-2013, 07:10 PM)radix Wrote: Once you have recovered the pass you can use --username and --show to pair them back up with the username.

Thanks,

I used the --username flag and did some GREP massaging and it worked on both my test 'Passphrase' and the credentials I dumped yesterday. (I am a pentester) Running like a dream right now.

I look forward to contributing to this site in the future.

Thanks again,
Chinchilla