NTLMv2 -- Not finding password
#1
I know the password but I can't get hashcat to find it. It's NTLMv2. I've tried a dictionary file with the password in it, and brute/mask. Anyone know what I'm doing wrong?

The password is Newpass8

Here's the input:
Code:
hashcat-cli32.exe -m 5600 -a 3 -o key ntlm2.txt Newpass?d


Here is the contents of ntlm2.txt
Code:
Administrator::WIN-HMH39596ABN:1122334455667788:80be64a4282577cf3b80503f4acb0e5a:0101000000000000f077830c70a4ce0114ddd5c22457143000000000020000000000000000000000


Input.Mode: Mask (Newpass?d)
Index.....: 0/1 (segment), 10 (words), 0 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: - plains, - words
Progress..: 10/10 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--

Started: Thu Aug 29 00:56:26 2013
Stopped: Thu Aug 29 00:56:27 2013


Many thanks for your help.
#2
the challenge is likely incorrect. what tool(s) did you use to initiate the challenge and capture the response?
#3
(08-29-2013, 08:15 AM)epixoip Wrote: the challenge is likely incorrect. what tool(s) did you use to initiate the challenge and capture the response?


I used the auxiliary/smb module metasploit. I checked in wireshark to make sure. But I'm new to NTLMv2 so I could be wrong.

[Image: 9m7d51K.jpg]
#4
The hash is somehow invalid, oclHashcat-plus wont even load it. Check out https://hashcat.net/wiki/doku.php?id=example_hashes for a valid example
#5
it loads for me if you remove the control character in the middle of the hash
#6
on oclHashcat-plus as well? It has a more sharp (but also more correct) hash parser
#7
Okay thanks Atom and Epixoip, I'm sure it's a bad hash.

For anyone who makes this mistake as I did, check out the difference in packet captures between the smb module and a legitimate login, there's a big difference. Back to the drawing board.
#8
It's not a bad hash. The problem is that the salt (username + domainname) is longer than the (optimized) max of 27 characters. JtR can crack it using the CPU format but not the GPU one.
#9
(08-30-2013, 01:28 AM)magnum Wrote: It's not a bad hash. The problem is that the salt (username + domainname) is longer than the (optimized) max of 27 characters. JtR can crack it using the CPU format but not the GPU one.


Are you sure? I've tried john --format=netntlmv2 /root/Desktop/hash with the following and get "No password hashes loaded (see FAQ)".
username:$Administrator$WIN-HMH39596ABN$1122334455667788$80be64a4282577cf3b80503f4acb0e5a$0101000000000000f077830c70a4ce0114ddd5c22457143000000000020000000000000000000000:::::::

I'd rather use hashcat anyway, but would like to know how you cracked it.
#10
(08-30-2013, 02:59 AM)PnkPanther Wrote:
(08-30-2013, 01:28 AM)magnum Wrote: It's not a bad hash. The problem is that the salt (username + domainname) is longer than the (optimized) max of 27 characters. JtR can crack it using the CPU format but not the GPU one.

Are you sure? I've tried john --format=netntlmv2 /root/Desktop/hash with the following and get "No password hashes loaded (see FAQ)".

Yeah I'm sure, it's still in my console buffer:
Code:
$ ../run/john test
ntlmv2-opencl: One or more hashes rejected due to salt length limitation.
Max supported sum of Username + Domainname lengths is 27 characters.
Try the CPU format for those.
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Press 'q' or Ctrl-C to abort, almost any other key for status
Newpass8         (Administrator)
1g 0:00:00:00 DONE (2013-08-30 01:21) 5.263g/s 666310p/s 666310c/s 666310C/s Newpass8
Use the "--show" option to display all of the cracked passwords reliably
Session completed
As you can see the GPU format rejects it but tells you why, and then the CPU format loads and cracks it. The latter just use OpenSSL so has no length limits but is likely a lot slower than HashCat.

I did remove the binary crap that epixoip mentioned. I tried pasting the correct one here but the forum re-adds the binary crap at the line wrap.