NTLMV2 hash crack bruteforce
#1
How to cut NT client challenge to simple format for hacking? I try this directly as below

oclHashcat64.exe -m 5600 xxx::xxxxx:4E64CCCA40DD96AC:010100000000000011CE0F4B220ECF01:83EC51155E7C1CCF0000000002000C0056004A004E0045005400420001000A0056004A004E00450054000400140076006A006E00650074002E0076006A00650063000300200076006A006E00650074002E0076006A006E00650074002E0076006A00650063000500140076006A006E00650074002E0076006A00650063000700080011CE0F4B220ECF0106000400020000000800300030000000000000000100000000200000A70BAB232683FFFF3EDAF02450410161A7C450B5D80A30CB2D99AAB47CCE77660A001000000000000000000000000000000000000900260048005400540050002F003100370032002E00320030002E003100370034002E00320031003100000000000000000000000000 -a 3 --status

I saw it is fast if I get simple hash

Also is there any way to crack NTLMV2 without Domain name in oclHashcat? I can do it in Cain
#2
Look at the NTLMV2 format with the hash example from this page:

http://hashcat.net/wiki/doku.php?id=example_hashes

Also, it would be a lot cleaner if you would store your hash in a text file instead of putting it in the command line. --status is not needed and you need to provide a mask.
#3
Thank you mastercracker. But I cannot figure out how to make the NT client challenge part to cut out and make small hash. I saw some such examples in this forum. But I can't find a procedure to make 576 char lengthen hash to 280 char hash( as shown in the link you provided)
#4
Does Cain or JTR accept this hash as is? If so, does it really state that it's NTLMV2? I never worked with these format so I can't really help more than this.
#5
I can confirm that field is of varying length, and JtR accepts the hash as posted. Are you saying HC doesn't, or did you stare too much at the example hash and didn't even try?
#6
I know this is an old post but I am new to the forum and this wat the only thread I could find relevant to my querie.
I m running cudaHashcat on a 64bit The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) box with an Nvdia Geforce 735 2gb and when I run cudaHashcat with an NTLMv2 hash like so:
root@The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali):~/Desktop/My Stuff/cudaHashcat-1.30# '/root/Desktop/My Stuff/cudaHashcat-1.30/cudaHashcat64.bin' -m 5600 test::test-PC:1122334455667788:CCE958E2567F8FFF0217AB32D4454154:010100000000000038A2288013FACF0139F4C139FC72D23E000000000200060053004D0042000100160053004D0042002D0054004F004F004C004B00490054000400120073006D0062002E006C006F00630061006C000300280073006500720076006500720032003000300033002E0073006D0062002E006C006F00630061006C000500120073006D0062002E006C006F00630061006C00080030003000000000000000010000000020000089466F4E6E55EB571B1DE1F1C0FF5F13300EC7AB644E01BC8BE7C907DDC41D030A001000000000000000000000000000000000000900120048005400540050002F0077007000610064000000000000000000 '/root/Desktop/My Stuff/cudaHashcat-1.30/example.dict'

I get the following output:

cudaHashcat v1.30 starting...

Device #1: GeForce GT 735M, 2047MB, 627Mhz, 2MCU

Hashes: 1 hashes; 1 unique digests, 1 unique salts
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
Rules: 1
Applicable Optimizers:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 80c
Device #1: Kernel /root/Desktop/My Stuff/cudaHashcat-1.30/kernels/4318/m5600_a0.sm_35.64.ptx
Device #1: Kernel /root/Desktop/My Stuff/cudaHashcat-1.30/kernels/4318/bzero.64.ptx


Session.Name...: cudaHashcat
Status.........: Cracked
Input.Mode.....: File (/root/Desktop/My Stuff/cudaHashcat-1.30/example.dict)
Hash.Target....: TEST::test-PC:1122334455667788:cce958e2567f8fff0217ab32d4454154:010100000000000038a2288013facf0139f4c139fc72d23e000000000200060053004d0042000100160053004d0042002d0054004f004f004c004b00490054000400120073006d0062002e006c006f00630061006c000300280073006500720076006500720032003000300033002e0073006d0062002e006c006f00630061006c000500120073006d0062002e006c006f00630061006c00080030003000000000000000010000000020000089466f4e6e55eb571b1de1f1c0ff5f13300ec7ab644e01bc8be7c907ddc41d030a001000000000000000000000000000000000000900120048005400540050002f0077007000610064000000000000000000
Hash.Type......: NetNTLMv2
Time.Started...: 0 secs
Speed.GPU.#1...: 0 H/s
Recovered......: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.......: 0/0 (100.00%)
Skipped........: 0/0 (100.00%)
Rejected.......: 0/0 (100.00%)
HWMon.GPU.#1...: -1% Util, 52c Temp, -1% Fan

Started: Fri Nov 7 23:20:16 2014
Stopped: Fri Nov 7 23:20:21 2014

but all it gives me in the Hashcat.pot file is this hash:
TEST::test-PC:1122334455667788:cce958e2567f8fff0217ab32d4454154:010100000000000038a2288013facf0139f4c139fc72d23e000000000200060053004d0042000100160053004d0042002d0054004f004f004c004b00490054000400120073006d0062002e006c006f00630061006c000300280073006500720076006500720032003000300033002e0073006d0062002e006c006f00630061006c000500120073006d0062002e006c006f00630061006c00080030003000000000000000010000000020000089466f4e6e55eb571b1de1f1c0ff5f13300ec7ab644e01bc8be7c907ddc41d030a001000000000000000000000000000000000000900120048005400540050002f0077007000610064000000000000000000:test
even though the correct password is in the wordlist.
I have also tried a mask attack, and a hybrid attack but to no avail with the exact same output in the .pot file.
Please any assistance would be much appreciated Smile
#7
Haven't noticed the ':test' at the end, have you?
#8
':test' at the end? what do you mean?
#9
at the end of the hash you posted from your .pot file, it shows the found password of test
#10
OMG I feel really stupid right now :/ haha thanks alot for your help Smile