+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Deprecated; Previous versions (https://hashcat.net/forum/forum-29.html)
+--- Forum: Old oclHashcat Support (https://hashcat.net/forum/forum-38.html)
+--- Thread: NTLM Issues [Solved] (/thread-4406.html)
NTLM Issues [Solved] - skillskills - 06-02-2015
I seem to be having an issue with cracking some of my NTLM hashes.
Currently I have dumped a 2008R2 SAM using VSS in combination with QwarksPWDump util to get it into a txt file.
They appear like this example:
PHP Code:
user:4265:AA############################EE:18####################F1D2A5CB06:::
I have removed:
PHP Code:
user:salt_idk?:AA############################EE:
Leaving me with what I think is the NTLM:
PHP Code:
18####################F1D2A5CB06
I use the following command:
Code:
cudaHashcat64.exe -m 1000 -o recovered.txt hashes.txt wordlist.txtI am unable to crack any of the passwords even though I have set my own password in AD manually and placed it in the wordlist.txt I did add in the example hashcat NTLM and it was able to retrieve it fine. I dont get any errors either about line length.
My impression is that the export is suspect. Any ideas?
RE: NTLM Issues - skillskills - 06-02-2015
It was my own fault for not reading the documentation on QwarksPWDump
http://blog.quarkslab.com/quarks-pwdump.html
"For example, it's not possible to parse Win 2008 NTDS.dit file from XP. In fact, record's checksum are computed in a different manner and database files appear corrupted for API functions."
I just dumped the hashes on using the utility on Windows 7 not on the DC itself, running the same application against the same hash files over Win7, server 2008R2 , and Server 2012R2 gave all different hashes.