+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Deprecated; Previous versions (https://hashcat.net/forum/forum-29.html)
+--- Forum: Old hashcat Support (https://hashcat.net/forum/forum-20.html)
+--- Thread: Penetration test of MS VPN (/thread-5356.html)
Penetration test of MS VPN - Adavan - 03-28-2016
Hello.
I used this very good tool for testing security threads on solutions for our customer. About week later i try do penetration test for MS VPN (NetNTLMv2).
I setup scenario with "MIDM" and catch challenge and response for autentification with Wireshark. Now, real challenge start with right assemble this information to format acceptable by Hashcat
.I not realize this before, it seems, that i am do something wrong, but i am not able find this mistake.
So. situation is below:
I run script "crack_vpn.sh" (for easy edit and place comments for my colleagues)
Code:
./hashcat-cli64.bin -a 3 -m 5600 /home/shared/hashcat/INPUT/test_enc.txt ?d?d?d?d?d?d -o /home/shared/hashcat/OUTPUT/test_dec.txttest_enc.txt (maybe in this format i do mistake, for security reason i not place some information)
Code:
<user_name>:<domain>:<name_of_user's_pc>:1122334455667788:2ad388f256aae4a7fa63132247f3c111:cc1d54076bd8346bb46fc7bbf546902700000000000000004647457df074a6c266586afac7eeba645ffe4037ce38205a00I am not sure with 1122334455667788. How can i check it from Wireshark?
Hashcat result:
Code:
XXX@LinuxUbuntu hashcat$ ./crack_vpn.sh
Initializing hashcat v2.00 with 4 threads and 32mb segment-size...
Added hashes from file /home/shared/hashcat/INPUT/test_enc.txt: 1 (1 salts)
Activating quick-digest mode for single-hash with salt
[s]tatus [p]ause [r]esume [b]ypass [q]uit =>
Input.Mode: Mask (?d?d?d?d?d?d) [6]
Index.....: 0/1 (segment), 1000000 (words), 0 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: 3.40M plains, 3.40M words
Progress..: 1000000/1000000 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--
Started: Mon Mar 28 12:54:48 2016
Stopped: Mon Mar 28 12:54:49 2016My colleague do connect and i am sure, that he set his password for only 6 digit (1 milion possibilities). Hashcat accept format of this input file, but not calculate password
.Hash should be OK, i try do this capture in our customer and hashes looks similar.
Many thanks for any effort.
RE: Penetration test of MS VPN - epixoip - 03-28-2016
(03-28-2016, 01:17 PM)Adavan Wrote: I am not sure with 1122334455667788. How can i check it from Wireshark?
This is the challenge. Typically you need to control this value.
RE: Penetration test of MS VPN - Adavan - 03-29-2016
(03-28-2016, 05:15 PM)epixoip Wrote:Hello.(03-28-2016, 01:17 PM)Adavan Wrote: I am not sure with 1122334455667788. How can i check it from Wireshark?
This is the challenge. Typically you need to control this value.
Thank you for response.
I try change it to:
Code:
<user_name>:<domain>:<name_of_user's_pc>:2ad388f256aae4a7fa63132247f3c111:cc1d54076bd8346bb46fc7bbf546902700000000000000004647457df074a6c266586afac7eeba645ffe4037ce38205a00hascat generate error message:
Code:
XXX@LinuxUbuntu hashcat$ ./crack_vpn.sh
Initializing hashcat v2.00 with 4 threads and 32mb segment-size...
Skipping hash: <user_name>:<domain>:<name_of_user's_pc>:2ad388f256aae4a7fa63132247f3c111:cc1d54076bd8346bb46fc7bbf546902700000000000000004647457df074a6c266586afac7eeba645ffe4037ce38205a00 (signature unmatched)
No hashes loadedI assemble it by the key:
Code:
<user_name>:<domain>:<name_of_user's_pc>:<challenge>:<response>I think, that some value is missing or isnt in right place, or in right format
.In this thread i found information about value "blob". What it is? Maybe stupid question, but i want teach this
.Thank you all for any effort.