hashcat Forum
Posting a hash from malware? - Printable Version

+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Misc (https://hashcat.net/forum/forum-15.html)
+--- Forum: General Talk (https://hashcat.net/forum/forum-33.html)
+--- Thread: Posting a hash from malware? (/thread-9462.html)



Posting a hash from malware? - pragmatic - 08-20-2020

So I know that in general it is verboten to post hashes for cracking, which I completely get.

That said, while looking over a threat report detailing recent "Chimera APT" activity, they mentioned that the attackers had inserted skeleton key logic on the domain controllers which would allow a single password to be considered valid for all accounts. The code used to do this was largely taken from mimikatz, but the hash was changed from the normally hardcoded "mimikatz" hash.

The values that make up that new hash value are visible on page 18 of that report (marked 17 in the text), although they need to be put together and ordered with endianness in mind, etc. Given that the hash is clearly public at this point from this report (and twitter for that matter), and that is associated with nefarious activities, would it be acceptable to post the hash here to see if "team hashcat" can crack it? Smile

If not I get it, I realize this is not the intent of this forum, but I figured it could be interesting to some folks and could create a very simple test for organizations to test for the presence of this malware (e.g. just try to log in with whatever the password ends up being, obviously only works until they change it though).


RE: Posting a hash from malware? - philsmd - 08-20-2020

This : https://twitter.com/TalBeerySec/status/1292734995254190080 ?

vs the password "mimikatz" -m 1000 NTLM hash : https://github.com/gentilkiwi/mimikatz/blob/a2a25cc9f5cbe86cfb6baedf5d3d39aea19b5a7f/mimikatz/modules/kuhl_m_misc.c#L602-L606
( original "mimikatz" 60xx4fcaxxxx6c7a03xxxx8194xxxxf6 )


RE: Posting a hash from malware? - pragmatic - 08-21-2020

(08-20-2020, 11:03 PM)philsmd Wrote: This : https://twitter.com/TalBeerySec/status/1292734995254190080 ?

vs the password "mimikatz" -m 1000 NTLM hash : https://github.com/gentilkiwi/mimikatz/blob/a2a25cc9f5cbe86cfb6baedf5d3d39aea19b5a7f/mimikatz/modules/kuhl_m_misc.c#L602-L606
( original "mimikatz" 60xx4fcaxxxx6c7a03xxxx8194xxxxf6 )

Yes, that would be it.