DES/NetNTLMv1 Cracking Issue
#1
So I have a hash which cracks fine with netntlmv1 mode but I cant seem to crack the third chunk with hashcat/chapcrack/manually. Can someone point out where I am going wrong?

The following netntlmv1 hash has the password of "password.1": e81d062fe3f8fb9f00000000000000000000000000000000:7e8ff866e232d90c199093c6684954c0fd5717880e4b5e13:7ab2b26a22061831

-----------------------------
Confirmation with hashcat:
Code:
a@a:~/hashcat-dev$ ./hashcat -m 5500 --potfile-disable -w 4 -a 3 a::a:e81d062fe3f8fb9f00000000000000000000000000000000:7e8ff866e232d90c199093c6684954c0fd5717880e4b5e13:7ab2b26a22061831 password.1
hashcat (v3.10-90-gecba0d2) starting...
--snip--
a::a:e81d062fe3f8fb9f00000000000000000000000000000000:7e8ff866e232d90c199093c6684954c0fd5717880e4b5e13:7ab2b26a22061831:password.1
Session.Name...: hashcat
Status.........: Cracked
--snip--
Right so let's see if we can crack the third block with chapcrack:
Code:
a@a:~/chapcrack $ ./chapcrack.py radius -C 7ab2b26a22061831 -R 7e8ff866e232d90c199093c6684954c0fd5717880e4b5e13
Cracking K3................
                     C1 = 7e8ff866e232d90c
                     C2 = 199093c6684954c0
                     C3 = fd5717880e4b5e13
                      P = 7ab2b26a22061831
No luck there.

Lets try with hashcat (Trying to crack the 2 byte key):
Code:
a@a:~/hashcat-dev$ ./hashcat -m 14000 -w 4 -o cracked.txt -a 3 -1 charsets/DES_full.charset -2 00 --hex-charset fd5717880e4b5e13:7ab2b26a22061831 ?1?1?2?2?2?2?2?2
hashcat (v3.10-90-gecba0d2) starting...
--snip--
Session.Name...: hashcat
Status.........: Exhausted
Input.Mode.....: Mask (?1?1?2?2?2?2?2?2) [8]
Custom.Chars...: -1 charsets/DES_full.charset, -2 00, -3 Undefined, -4 Undefined
Hash.Target....: fd5717880e4b5e13:7ab2b26a22061831
--snip--

That failed too, let's try and calculate it manually.
Code:
$ echo -n password.1 | iconv -f utf8 -t utf16le | openssl dgst -md4
(stdin)= 006731c3726516dab489ef00fb2308a8
If we take this and split it up into 3 7 byte chunks (null padding up to 21 bytes)
006731c3726516 dab489ef00fb23 08a80000000000

If we take the last chunk and expand it to 8 bytes we get:

0854000000000000

Now if we encrypt our challenge (7ab2b26a22061831) with this key we should get the 3rd block in the original netntlmv1 hash:

(this is using the pycrypto library)
Code:
>>> des = DES.new(binascii.unhexlify("0854000000000000"))
>>> binascii.hexlify(des.encrypt(binascii.unhexlify("7ab2b26a22061831")))
'7e22a569174505aa'
Which doesnt match, it should be: fd5717880e4b5e13

Calculating the odd parity doesnt make a difference:
Code:
>>> des = DES.new(binascii.unhexlify("0854010101010101"))
>>> binascii.hexlify(des.encrypt(binascii.unhexlify("7ab2b26a22061831")))
'7e22a569174505aa'

Any one have any idea where I am going wrong? and why hashcat is failing to crack the third block?


Messages In This Thread
DES/NetNTLMv1 Cracking Issue - by lordneon - 10-10-2016, 04:34 PM
RE: DES/NetNTLMv1 Cracking Issue - by atom - 10-10-2016, 04:54 PM
RE: DES/NetNTLMv1 Cracking Issue - by lordneon - 10-10-2016, 05:11 PM