Penetration test of MS VPN - Printable Version +- hashcat Forum (https://hashcat.net/forum) +-- Forum: Deprecated; Previous versions (https://hashcat.net/forum/forum-29.html) +--- Forum: Old hashcat Support (https://hashcat.net/forum/forum-20.html) +--- Thread: Penetration test of MS VPN (/thread-5356.html) |
Penetration test of MS VPN - Adavan - 03-28-2016 Hello. I used this very good tool for testing security threads on solutions for our customer. About week later i try do penetration test for MS VPN (NetNTLMv2). I setup scenario with "MIDM" and catch challenge and response for autentification with Wireshark. Now, real challenge start with right assemble this information to format acceptable by Hashcat . I not realize this before, it seems, that i am do something wrong, but i am not able find this mistake. So. situation is below: I run script "crack_vpn.sh" (for easy edit and place comments for my colleagues) Code: ./hashcat-cli64.bin -a 3 -m 5600 /home/shared/hashcat/INPUT/test_enc.txt ?d?d?d?d?d?d -o /home/shared/hashcat/OUTPUT/test_dec.txt test_enc.txt (maybe in this format i do mistake, for security reason i not place some information) Code: <user_name>:<domain>:<name_of_user's_pc>:1122334455667788:2ad388f256aae4a7fa63132247f3c111:cc1d54076bd8346bb46fc7bbf546902700000000000000004647457df074a6c266586afac7eeba645ffe4037ce38205a00 I am not sure with 1122334455667788. How can i check it from Wireshark? Hashcat result: Code: XXX@LinuxUbuntu hashcat$ ./crack_vpn.sh My colleague do connect and i am sure, that he set his password for only 6 digit (1 milion possibilities). Hashcat accept format of this input file, but not calculate password . Hash should be OK, i try do this capture in our customer and hashes looks similar. Many thanks for any effort. RE: Penetration test of MS VPN - epixoip - 03-28-2016 (03-28-2016, 01:17 PM)Adavan Wrote: I am not sure with 1122334455667788. How can i check it from Wireshark? This is the challenge. Typically you need to control this value. RE: Penetration test of MS VPN - Adavan - 03-29-2016 (03-28-2016, 05:15 PM)epixoip Wrote:Hello.(03-28-2016, 01:17 PM)Adavan Wrote: I am not sure with 1122334455667788. How can i check it from Wireshark? Thank you for response. I try change it to: Code: <user_name>:<domain>:<name_of_user's_pc>:2ad388f256aae4a7fa63132247f3c111:cc1d54076bd8346bb46fc7bbf546902700000000000000004647457df074a6c266586afac7eeba645ffe4037ce38205a00 hascat generate error message: Code: XXX@LinuxUbuntu hashcat$ ./crack_vpn.sh I assemble it by the key: Code: <user_name>:<domain>:<name_of_user's_pc>:<challenge>:<response> I think, that some value is missing or isnt in right place, or in right format . In this thread i found information about value "blob". What it is? Maybe stupid question, but i want teach this . Thank you all for any effort. |