NTLM Issues [Solved] - Printable Version +- hashcat Forum (https://hashcat.net/forum) +-- Forum: Deprecated; Previous versions (https://hashcat.net/forum/forum-29.html) +--- Forum: Old oclHashcat Support (https://hashcat.net/forum/forum-38.html) +--- Thread: NTLM Issues [Solved] (/thread-4406.html) |
NTLM Issues [Solved] - skillskills - 06-02-2015 I seem to be having an issue with cracking some of my NTLM hashes. Currently I have dumped a 2008R2 SAM using VSS in combination with QwarksPWDump util to get it into a txt file. They appear like this example: PHP Code: user:4265:AA############################EE:18####################F1D2A5CB06::: I have removed: PHP Code: user:salt_idk?:AA############################EE: Leaving me with what I think is the NTLM: PHP Code: 18####################F1D2A5CB06 I use the following command: Code: cudaHashcat64.exe -m 1000 -o recovered.txt hashes.txt wordlist.txt I am unable to crack any of the passwords even though I have set my own password in AD manually and placed it in the wordlist.txt I did add in the example hashcat NTLM and it was able to retrieve it fine. I dont get any errors either about line length. My impression is that the export is suspect. Any ideas? RE: NTLM Issues - skillskills - 06-02-2015 It was my own fault for not reading the documentation on QwarksPWDump http://blog.quarkslab.com/quarks-pwdump.html "For example, it's not possible to parse Win 2008 NTDS.dit file from XP. In fact, record's checksum are computed in a different manner and database files appear corrupted for API functions." I just dumped the hashes on using the utility on Windows 7 not on the DC itself, running the same application against the same hash files over Win7, server 2008R2 , and Server 2012R2 gave all different hashes. |