Need help with NTLM password case
#1
Hello,

So I have an LM Hash and an NTLM hash.   I figured out the LM hash, but when I try to reencrypt the password using an LM hash / NTLM hash generator, the NTLM never matches what shows up in the SAM, although the LM hash matches just fine.

Because changing the case of the characters doesn't change the LM hash, I'm thinking I just have the capitalizations wrong.

Is there any way to have hashcat try different cases for a 13 digit password?   For example, let's just say I know the password is
password12345   but I don't know the capitalization.   If I have the NTLM hash, how would I tell hashcat that the password is password12345 but I'm not sure what letters are capitalized, and to try every combination of capitalizations?

If you need more clarification, I can give an example.   I've been over the FAQ and don't see what I'm looking for.   I've looked at the output of hashcat64.bin --help    and don't see what I'm looking for.   I'm sure a mask has something to do with it.

Maybe something like hashcat64.bin <my various options> <path_to_NTLM_hash> <LM password> ?a?a?a?a?a?a?a?a?a?a?a?a?a

Would that be the way to go?

Or would I use ?lu?lu?lu?lu?lu?lu?lu?lu?lu?lu?lu?lu?lu?lu?lu

Would that work? Even though some of the password is numbers, some are special characters, like $? So long as I pass the known LM password to hashcat, the ?lu 13 times should work, right?
#2
You can create rules that toggle case.

https://blog.didierstevens.com/2016/07/1...t-lm-ntlm/
~
#3
(03-25-2018, 06:27 PM)royce Wrote: You can create rules that toggle case.

https://blog.didierstevens.com/2016/07/1...t-lm-ntlm/

Yes, I just came to the same conclusion by trying my suggestion, and seeing that it didn't work.   I'm struggling with what rule I would use to have it try all possible lower case / capitalized version of every letter.   Not just the first letter, or one letter, but every possible lower / upper case combo.

Perhaps your link will shed some light on this problem for me.

Thank you.
#4
Hrmm, this didn't recover the password successfully. Let me post my command line, and perhaps you could tell me if I passed the correct parameters to hashcat:
Code:
./hashcat64.bin -m 1000 -a 0 --session="Windows Server 2003 NTLM" --restore-file-path=./winserv2003_ntlm.restore -O -o ./found_ntlm_passwd /tmp/hash.txt --rules ./rules/toggles-lm-ntlm.rule lm-passwords.txt

Now, obviously, I downloaded the toggles-lm-ntlm.rule file from the link you provided and I put the found LM password in the lm-passwords.txt file. Here's the contents of that file:
Code:
CHoKL0cK192O$

Here's my /tmp/hash.txt file:
Code:
7b9da04e2cbc851f27a3a9aae8afd318

Everything look alright to you?

This is for a Windows Server 2003 R2 server....

**EDIT:

I see one run that it makes, and this is the output:
Code:
Session..........: Windows Server 2003 NTLM    
Status...........: Exhausted
Hash.Type........: NTLM
Hash.Target......: 7b9da04e2cbc851f27a3a9aae8afd318
Time.Started.....: Sun Mar 25 13:22:09 2018 (0 secs)
Time.Estimated...: Sun Mar 25 13:22:09 2018 (0 secs)
Guess.Base.......: File (lm-passwords.txt)
Guess.Mod........: Rules (./rules/toggles-lm-ntlm.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....:    96846 H/s (0.28ms) @ Accel:64 Loops:32 Thr:1024 Vec:1
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 16384/16384 (100.00%)
Rejected.........: 0/16384 (0.00%)
Restore.Point....: 1/1 (100.00%)
Candidates.#1....: cHOkl0Ck192o$ -> chOkl0Ck192o$
HWMon.Dev.#1.....: Temp: 44c Fan: 31%

Started: Sun Mar 25 13:22:06 2018
Stopped: Sun Mar 25 13:22:09 2018
What am I missing here?
#5
I don't feel like it's trying every combo. I've tried using a restore file, but hashcat doesn't even create the restore file. When I look at the logfile, I don't see where it's tried all the combo's, like it did with the LM hash....Makes me feel I'm doing something wrong, maybe the order of parameters or something? I dunno.

Or maybe Windows Server 2003 R2 is using something besides NTLM? Maybe I should be trying something different than -m 1000?
#6
It seems weird that your LM hash always looks case-sensitive. I'm not sure how exactly hashcat handles LM hashes but I would expect it to only have upper case letters.

Regarding the restore file, for wordlist attacks it depends on the word position in your dict. Since there is only one word in hashcat never reaches a point where it would create a restore file.
#7
(03-26-2018, 10:09 AM)undeath Wrote: It seems weird that your LM hash always looks case-sensitive. I'm not sure how exactly hashcat handles LM hashes but I would expect it to only have upper case letters.

Regarding the restore file, for wordlist attacks it depends on the word position in your dict. Since there is only one word in hashcat never reaches a point where it would create a restore file.

I believe the reason my LM hashes always look case-sensitive is because I was lazy and busy, and didn't care about the six hours it'd take to run through every combo, so I used a mask of all ?a's.

Because capitalization doesn't matter with LM hashes, PAssWOrD will encode to the same hash as PASSWORD.   You can test this yourself by going to an on-line LM hash generator / encoder / whatever you want to call it.

I could have specified to try just symbols, numbers, and upper case or just lower case letters and it would have sped it up a bit and found the same password.   I copied and pasted, because I was being lazy.

It was a weird issue, domain controllers store passwords differently.   So Administrator account, I couldn't log in when I booted the server normally, because there was no Administrator account.   It was only when I did the F8 trick and disabled the domain controller stuff that I could login as Administrator.   The domain user that really was the admin was Cinder45.

This could perhaps be Microsoft's way of preventing someone from logging in as Administrator in normal mode?   Having an NTLM password that never matches the LM hash?   I dunno.   I'd love to learn where those domain usernames and hashes are stored and how to read the hashes from them.

Regardless, I finally gained admin access to the server.   A friend suggested the old trick of replacing the accessibility program with cmd.exe and hitting the shift key five times.   This spawns an administrator command prompt, before the login screen, where you can use net user to view and change account passwords.   I saw the Cinder45 account, remember him saying that was the account needed to login, changed the password, and access was gained, finally!