+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Misc (https://hashcat.net/forum/forum-15.html)
+--- Forum: User Contributions (https://hashcat.net/forum/forum-25.html)
+--- Thread: How to make use of the DES KPA mode (/thread-5832.html)
How to make use of the DES KPA mode - atom - 09-03-2016
Just wanted to make a quick writeup how to use the new DES KPA cracking mode.
An interessting example, I thought, would be how to retrieve the NTLM out of a captured NetNTLMv1 session. It doesn't matter if you were the server to enforce some challenge or if you sniffed it from the wire.
Note: The way we do it here will also work for cracking MSCHAPv2 or WPA2 Enterprise.
So, basically what we're looking in NetNTLMv1 is the challenge and a 24 byte bytestream. To get them you can use metasploit or other tools, but I don't want to focus that here. For details how to get them, check out this page: https://crack.sh/mschapv2.html
You end up in a string that looks like the following: $99$ESIzRFVmd4hye041+UcSnqUrnN7a6Gk0WGw=
First we need to decode the base64, remove the $99$ signature and do this:
Code:
root@et:~/hashcat# echo -n 'ESIzRFVmd4hye041+UcSnqUrnN7a6Gk0WGw=' | base64 -d | xxd
00000000: 1122 3344 5566 7788 727b 4e35 f947 129e ."3DUfw.r{N5.G..
00000010: a52b 9cde dae8 6934 586c .+....i4Xl
root@et:~/hashcat#- The first 8 byte are the challenge, which will be our data part in the DES cracking later.
- The next 16 byte are 2 of 3 DES encrypted messages. If we manage to crack both of them we can reconstruct the NTLM out of it. This is our goal and it's guaranteed, it will just take some time.
- The next 2 byte is the decrypted message of the third DES message. So yes, this one is already cracked, which was possible because the search space is pretty small (0x10000). We don't need to crack this anymore. Note: This will be the last 2 byte of the final NTLM.
So we end up in the following information:
- CT1: 727b4e35f947129e
- CT2: a52b9cdedae86934
- PT3: 586c
- CHAL: 1122334455667788
To make use of hashcat's DES KPA cracking with just need two informations. The ciphertext and the plaintext. Both must be exactly 8 byte. Both need to be given in hex notation. So the hashes look like this:
Code:
root@et:~/hashcat# cat hashes.txt
727b4e35f947129e:1122334455667788
a52b9cdedae86934:1122334455667788
root@et:~/hashcat#And that's it basically. Now we can start hashcat with this:
Code:
root@et:~/hashcat# ./hashcat -m 14000 hashes.txt -o cracked.txt -a 3 -1 charsets/DES_full.charset --hex-charset ?1?1?1?1?1?1?1?1 -w 3
...
root@et:~/hashcat#Some explanations about the commandline:
- The -1 charsets/DES_full.charset was added to GitHub with a recent commit and I recommend to use it whenever you're cracking a full DES range
- ?1?1?1?1?1?1?1?1 The length is always (and exact) 8 byte.
Code:
root@et:~/hashcat# cat cracked.txt
727b4e35f947129e:1122334455667788:$HEX[8923bdfdaf753f63]
a52b9cdedae86934:1122334455667788:$HEX[17d741d7ddc1c36f]
root@et:~/hashcat#Now that we've cracked the DES key, we need to decode them back to plain data. I've written a small program "deskey_to_ntlm.pl" to do that, it's part of hashcat-utils now: https://github.com/hashcat/hashcat-utils/blob/master/src/deskey_to_ntlm.pl
Code:
root@et:~/hashcat-utils/src# perl deskey_to_ntlm.pl 8923bdfdaf753f63
8846f7eaee8fb1
root@et:~/hashcat-utils/src# perl deskey_to_ntlm.pl 17d741d7ddc1c36f
17ad06bdd830b7
root@et:~/hashcat-utils/src#Now you can put the substrings together to get the final NTLM:
8846f7eaee8fb117ad06bdd830b7586c
As a proof, that all the above worked correctly, I knew that the NTLM password was "password":
Code:
root@ht:~/hashcat-utils/src# echo -n password | iconv -f utf8 -t utf16le | openssl dgst -md4
(stdin)= 8846f7eaee8fb117ad06bdd830b7586c
root@ht:~/hashcat-utils/src# You know, once you have the NTLM hash, you can do all the funny things like PTH or generate a kerberos ticket out of it or simply crack the NTLM.
- atom
RE: How to make use of the DES KPA mode - mubix - 09-03-2016
Awesome stuff! Thanks for making this happen atom. Really appreciate it.