Brute Forcing LM/NTLM with non ASCII Characters
#1
-All passwords and hashes referred to in this post are publicly available-

Hi Everyone

Is it possible to brute force LM and NTLM hashes of passwords which contain non-ASCII characters? I'm using Hashcat 6.1.1.

Here is the context:

Alex wrote a fantastic article on how to brute force MD5 hashes of passwords containing non-Latin characters: https://miloserdov.org/?p=4016. Here is a summary:

MD5 Brute Force - Works
Plaintext: нет
Plaintext hex: d0 bd , d0 b5 , d1 82
UTF-8 Encoded MD5 hash: df28b6f9df132e3be4db5b102433d3b1
hashcat -m 0 -a 3 df28b6f9df132e3be4db5b102433d3b1 -1 d0d1 -2 bdb582 --hex-charset ?1?2?1?2?1?2
Potfile: df28b6f9df132e3be4db5b102433d3b1:нет

Now, moving on to the NLTM hash:

NTLM Dictionary - Works
UTF-8 Encoded NTLM hash = cdef73138cf484d77ad0f9f8ade64189
hashcat -m 900 -a 0 --encoding-to utf16le cdef73138cf484d77ad0f9f8ade64189  WordList-utf-8.txt (#Notice hash mode has changed.)

WordList-utf-8.txt is a uft-8 encoded text file containing the characters нет

The results of the dictionary attack are as follows:

cdef73138cf484d77ad0f9f8ade64189:$HEX[3d0435044204]

We can decode the hex value at https://dencode.com/en/string
3d0435044204 (UTF-16LE) = нет

At this point, we now know that the hash has been correctly generated and that we can crack it using a dictionary attack. Let's move on to brute forcing the NTLM hash:

NTLM Brute Force - Doesn't Work
We try the same hash mode as we used for the dictionary attack:
hashcat -m 900 -a 3 --encoding-to utf16le cdef73138cf484d77ad0f9f8ade64189 -1 d0d1 -2 bdb582 --hex-charset ?1?2?1?2?1?2

But no luck:
Recovered........: 0/1 (0.00%) Digests

Changing the hash mode to 1000 (NTLM) also fails:
hashcat -m 1000 -a 3  --encoding-to utf16le cdef73138cf484d77ad0f9f8ade64189 -1 d0d1 -2 bdb582 --hex-charset ?1?2?1?2?1?2

This post refers to a similar issue, but with Office hashes: https://hashcat.net/forum/thread-8456.ht...lobal_swap

In m09600-pure.cl, I have replaced sha512_update_global_utf16le_swap with sha512_update_global_swap as suggested by Phil, but the issue persists.

Does anyone know whether it is indeed possible to brute force LM and NTLM hashes of passwords which contain non-ASCII characters? And if so, what am I missing?

Thanks very much, I’ll greatly appreciate any help.
Reply


Messages In This Thread
Brute Forcing LM/NTLM with non ASCII Characters - by hydorh - 07-31-2020, 02:44 PM