hashcat Forum
cracking a domain cachedump - Printable Version

+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Deprecated; Previous versions (https://hashcat.net/forum/forum-29.html)
+--- Forum: Old oclHashcat Support (https://hashcat.net/forum/forum-38.html)
+--- Thread: cracking a domain cachedump (/thread-3819.html)



cracking a domain cachedump - slawson - 11-07-2014

I obtained a Domain Cache dump via cachedump SYSTEM SECURITY. I ran oclhashcat on the hash using the hash type 1000 for NTLM. Oclhashcat picked up the hash, but didn't match any passwords. Since then I noticed that hash type 1100 is for Domain Cached Credentials. Do I need to re-run the oclhashcat using 1100 or would the 1000 work if I had the right password?


RE: cracking a domain cachedump - Mem5 - 11-07-2014

1100 works with the format hash:username
1000 is pure NTLM hash.


RE: cracking a domain cachedump - slawson - 11-07-2014

When I processed the file using hash type 1000 I used the --username parameter and Oclhashcat recognized the hashes that were in the file, but it didn't crack it. I ran the same scan using hash type 1100 and oclhashcat cracked one of the hashes.

Can you clear me up on why the hash type 1000 would scan but not crack?


RE: cracking a domain cachedump - Si2006 - 11-08-2014

Because you used the --username switch which ignores what is before or after a colon :


RE: cracking a domain cachedump - slawson - 11-08-2014

I guess I didn't make my question clear enough. I will rephrase it. If I have a hash from a Domain Credentials cache dump, can I crack it by using either hash type 1000 or 1100? My testing shows that cracking via type 1100 is about 75% slower.

The reason I ask is because Oclhashcat accepted the hash when I used type 1000, but it didn't crack anything.


RE: cracking a domain cachedump - Mem5 - 11-08-2014

NTLM hashes are 32 chars long, without username, and cracked with mode 1000.

"it didn't crack anything" -> not the problem of oclhashcat ! it's yours problem : bad wordlist, bad bruteforce mask, etc.


RE: cracking a domain cachedump - undeath - 11-08-2014

(11-08-2014, 04:44 AM)slawson Wrote: If I have a hash from a Domain Credentials cache dump, can I crack it by using either hash type 1000 or 1100? My testing shows that cracking via type 1100 is about 75% slower.
Of course you can. And if this doesn't work try MD5. I mean, all those hash types are just to confuse users. Use whatever gives no error and is faster than the other modes!