+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Misc (https://hashcat.net/forum/forum-15.html)
+--- Forum: General Talk (https://hashcat.net/forum/forum-33.html)
+--- Thread: MSCHAPv2 and NTLMv1 (/thread-7436.html)
MSCHAPv2 and NTLMv1 - usernet - 04-11-2018
Hi all,
this is my first post, i hope the question could be interesting just as much for me as it is for you and that it's not too dumb.
I get to the point:
implementing an evil-twin attack, in a wpa2-enterprise network, in which my notebook is the authenticator and the authentication server (the AP and the radius server) and where the MSCHAPv2 protocol is used as inner authentication method, I can retrieve an NTLMv1 Hash, an MD4, as suggested in these posts, and as the example picture shows:
https://hashcat.net/forum/thread-2563.html
https://hashcat.net/forum/thread-5052.html
![[Image: 6gxgC.jpg]](https://i.stack.imgur.com/6gxgC.jpg)
(i'm using hostapd-wpe in a TESTING environment)
But, reading the details about the MSCHAPv2 protocol, I cannot explain me how it's possible that I can retrieve this (NTLM) hash; especially, if the protocol uses the NTLM hash, just as a key, to encrypt the challenge hash and do not explicitly send it, to the radius server.
From RFC 2759 - "Microsoft PPP CHAP Extensions, Version 2" I found:
Quote:Response Packet
The MS-CHAP-V2 Response packet is identical in format to the standard CHAP Response packet. However, the Value field is sub-formatted differently as follows:
16 octets: Peer-Challenge
8 octets: Reserved, must be zero
24 octets: NT-Response
1 octet : Flags
The NT-Response field is an encoded function of the password, the user name, the contents of the Peer-Challenge field and the received challenge as output by the routine GenerateNTResponse()
Quote:8.1. GenerateNTResponse()
GenerateNTResponse(
IN 16-octet AuthenticatorChallenge,
IN 16-octet PeerChallenge,
IN 0-to-256-char UserName,
IN 0-to-256-unicode-char Password,
OUT 24-octet Response )
{
8-octet Challenge
16-octet PasswordHash
ChallengeHash( PeerChallenge, AuthenticatorChallenge, UserName,
giving Challenge)
NtPasswordHash( Password, giving PasswordHash )
ChallengeResponse( Challenge, PasswordHash, giving Response )
}
Quote:8.5. ChallengeResponse(
IN 8-octet Challenge,
IN 16-octet PasswordHash,
OUT 24-octet Response )
{
Set ZPasswordHash to PasswordHash zero-padded to 21 octets
DesEncrypt( Challenge,
1st 7-octets of ZPasswordHash,
giving 1st 8-octets of Response )
DesEncrypt( Challenge,
2nd 7-octets of ZPasswordHash,
giving 2nd 8-octets of Response )
DesEncrypt( Challenge,
3rd 7-octets of ZPasswordHash,
giving 3rd 8-octets of Response )
}
How it's possible that i can retrieve the PasswordHash, instead of trying to obatin it trough the des-encrypted string?
Thank you for all your help
RE: MSCHAPv2 and NTLMv1 - undeath - 04-11-2018
if you look at the 5500 (netntlmv1) kernel you can see that it does involve DES encryption: https://github.com/hashcat/hashcat/blob/master/OpenCL/m05500_a0.cl
however, here is a post about recovering the ntlm hash from the netntlmv1 hash: https://hashcat.net/forum/thread-5912.html
RE: MSCHAPv2 and NTLMv1 - usernet - 04-11-2018
(04-11-2018, 10:46 PM)undeath Wrote: however, here is a post about recovering the ntlm hash from the netntlmv1 hash: https://hashcat.net/forum/thread-5912.html
Ok now it's more clear
thanks a lot In particular I would point out the link reported from the author of the post, that definitively solved my doubts: http://markgamache.blogspot.ca/2013/01/ntlm-challenge-response-is-100-broken.html