+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Deprecated; Previous versions (https://hashcat.net/forum/forum-29.html)
+--- Forum: Old hashcat Support (https://hashcat.net/forum/forum-20.html)
+--- Thread: NTLMv2 -- Not finding password (/thread-2568.html)
Pages:
1
2
NTLMv2 -- Not finding password - PnkPanther - 08-29-2013
I know the password but I can't get hashcat to find it. It's NTLMv2. I've tried a dictionary file with the password in it, and brute/mask. Anyone know what I'm doing wrong?
The password is Newpass8
Here's the input:
Code:
hashcat-cli32.exe -m 5600 -a 3 -o key ntlm2.txt Newpass?dHere is the contents of ntlm2.txt
Code:
Administrator::WIN-HMH39596ABN:1122334455667788:80be64a4282577cf3b80503f4acb0e5a:0101000000000000f077830c70a4ce0114ddd5c22457143000000000020000000000000000000000Input.Mode: Mask (Newpass?d)
Index.....: 0/1 (segment), 10 (words), 0 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: - plains, - words
Progress..: 10/10 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--
Started: Thu Aug 29 00:56:26 2013
Stopped: Thu Aug 29 00:56:27 2013
Many thanks for your help.
RE: NTLMv2 -- Not finding password - epixoip - 08-29-2013
the challenge is likely incorrect. what tool(s) did you use to initiate the challenge and capture the response?
RE: NTLMv2 -- Not finding password - PnkPanther - 08-29-2013
(08-29-2013, 08:15 AM)epixoip Wrote: the challenge is likely incorrect. what tool(s) did you use to initiate the challenge and capture the response?
I used the auxiliary/smb module metasploit. I checked in wireshark to make sure. But I'm new to NTLMv2 so I could be wrong.
![[Image: 9m7d51K.jpg]](http://i.imgur.com/9m7d51K.jpg)
RE: NTLMv2 -- Not finding password - atom - 08-29-2013
The hash is somehow invalid, oclHashcat-plus wont even load it. Check out https://hashcat.net/wiki/doku.php?id=example_hashes for a valid example
RE: NTLMv2 -- Not finding password - epixoip - 08-29-2013
it loads for me if you remove the control character in the middle of the hash
RE: NTLMv2 -- Not finding password - atom - 08-29-2013
on oclHashcat-plus as well? It has a more sharp (but also more correct) hash parser
RE: NTLMv2 -- Not finding password - PnkPanther - 08-29-2013
Okay thanks Atom and Epixoip, I'm sure it's a bad hash.
For anyone who makes this mistake as I did, check out the difference in packet captures between the smb module and a legitimate login, there's a big difference. Back to the drawing board.
RE: NTLMv2 -- Not finding password - magnum - 08-30-2013
It's not a bad hash. The problem is that the salt (username + domainname) is longer than the (optimized) max of 27 characters. JtR can crack it using the CPU format but not the GPU one.
RE: NTLMv2 -- Not finding password - PnkPanther - 08-30-2013
(08-30-2013, 01:28 AM)magnum Wrote: It's not a bad hash. The problem is that the salt (username + domainname) is longer than the (optimized) max of 27 characters. JtR can crack it using the CPU format but not the GPU one.
Are you sure? I've tried john --format=netntlmv2 /root/Desktop/hash with the following and get "No password hashes loaded (see FAQ)".
username:$Administrator$WIN-HMH39596ABN$1122334455667788$80be64a4282577cf3b80503f4acb0e5a$0101000000000000f077830c70a4ce0114ddd5c22457143000000000020000000000000000000000:::::::
I'd rather use hashcat anyway, but would like to know how you cracked it.
RE: NTLMv2 -- Not finding password - magnum - 08-30-2013
(08-30-2013, 02:59 AM)PnkPanther Wrote:(08-30-2013, 01:28 AM)magnum Wrote: It's not a bad hash. The problem is that the salt (username + domainname) is longer than the (optimized) max of 27 characters. JtR can crack it using the CPU format but not the GPU one.
Are you sure? I've tried john --format=netntlmv2 /root/Desktop/hash with the following and get "No password hashes loaded (see FAQ)".
Yeah I'm sure, it's still in my console buffer:
Code:
$ ../run/john test
ntlmv2-opencl: One or more hashes rejected due to salt length limitation.
Max supported sum of Username + Domainname lengths is 27 characters.
Try the CPU format for those.
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Press 'q' or Ctrl-C to abort, almost any other key for status
Newpass8 (Administrator)
1g 0:00:00:00 DONE (2013-08-30 01:21) 5.263g/s 666310p/s 666310c/s 666310C/s Newpass8
Use the "--show" option to display all of the cracked passwords reliably
Session completedI did remove the binary crap that epixoip mentioned. I tried pasting the correct one here but the forum re-adds the binary crap at the line wrap.