hashcat Forum
NTLMv2 separator unmatched - Printable Version

+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Support (https://hashcat.net/forum/forum-3.html)
+--- Forum: hashcat (https://hashcat.net/forum/forum-45.html)
+--- Thread: NTLMv2 separator unmatched (/thread-9341.html)



NTLMv2 separator unmatched - Aila - 06-27-2020

I'm doing a CTF challenge and I should figure out a NTLMv2 password.

The system where the password is from is Windows10 - that means NTLMv2, right?

The hash looks like this:
User Name:1234:53xxxxxxxxxxxxxxxxxxxxxxxxxxx15b:25bxxxxxxxxxxxxxxxxxxxxxxxxxxb4b:::

And I'm using this command:
hashcat -m 5600 -a 0 hash rockyou.txt 
(most likely it's a simple password)

If I use the hash as it is above, hashcat tells me "Failed to parse hashes using the 'pwdump' format."
If I remove the ::: part from the end, hashcat tells me "Separator unmatched"

Is there something about the hash format I don't understand or what is going on?


RE: NTLMv2 separator unmatched - philsmd - 06-27-2020

no, -m 5600 is a diffrent format.

the pwdump is supported with -m 1000 = NTLM and -m 3000 = LM (also see https://openwall.info/wiki/john/hash-formats and https://ftp.samba.org/pub/samba/pwdump/README etc)


so either you are not using the correct -m value (most likely)... or your explanation/expectation about the NTLMv2 is wrong, see example hashes of -m 1000, -m 3000 and -m 5600 here: https://hashcat.net/wiki/example_hashes


RE: NTLMv2 separator unmatched - Aila - 06-27-2020

Hmh... yes. If I take just the 25bxxxxxxxxxxxxxxxxxxxxxxxxxxb4b part and hashcat with -m 1000, it starts the job. And now, after learning to read, it does say on m 5600 that it is a NetNTLMv2 not NTLMv2. I got the hash from an image using volatility.