Wow, that's an awesomely quick response atom.
Here goes with the description of NTLMv2, added as ticket 56.
https://hashcat.net/trac/ticket/56
The NTLMv2 algorithm requires a username, authentication target (i.e. domain name) which is case sensitive but usually provided in all caps, a variable 8 byte server challenge and a variable sized blob of data which includes a variable client challenge and some other data like a timestamp. This last field is referred to in the Metasploit SMB capture output as NT_CLIENT_CHALLENGE, and in other sources its referred to as a 'blob', which is what I will call it.
In the example I will use the following values:
Password: hashcat
Username: user
Domain: DOMAIN
Challenge: 0x1122334455667788
Blob: 0x0101000000000000e3a17e6c2600ce0191f59c598f8c6f4d00000000020000000000000000000000
The generation process is as follows:
Step 1
A regular NTLM hash is produced from the password (hashcat) by unicoding it and passing through MD4.
Step 2
The username (user) is converted to uppercase and concatenated with the domain name (DOMAIN). This string is converted to unicode and hashed using HMAC_MD5 with the NTLM hash generated earlier used as the key.
Step 3
The server challenge (0x1122334455667788) is then concatenated with the blob (0x0101000000000000e3a17e6c2600ce0191f59c598f8c6f4d00000000020000000000000000000000) and this is fed into HMAC_MD5 with the hash just generated (fb659fcf061b8a92be83024db10434b1) used as the key.
Step 4
The final result.
Let me know if any clarification is needed.
Here goes with the description of NTLMv2, added as ticket 56.
https://hashcat.net/trac/ticket/56
The NTLMv2 algorithm requires a username, authentication target (i.e. domain name) which is case sensitive but usually provided in all caps, a variable 8 byte server challenge and a variable sized blob of data which includes a variable client challenge and some other data like a timestamp. This last field is referred to in the Metasploit SMB capture output as NT_CLIENT_CHALLENGE, and in other sources its referred to as a 'blob', which is what I will call it.
In the example I will use the following values:
Password: hashcat
Username: user
Domain: DOMAIN
Challenge: 0x1122334455667788
Blob: 0x0101000000000000e3a17e6c2600ce0191f59c598f8c6f4d00000000020000000000000000000000
The generation process is as follows:
Step 1
A regular NTLM hash is produced from the password (hashcat) by unicoding it and passing through MD4.
Code:
hashcat-> b4b9b02e6f09a9bd760f388b67351e2b
Step 2
The username (user) is converted to uppercase and concatenated with the domain name (DOMAIN). This string is converted to unicode and hashed using HMAC_MD5 with the NTLM hash generated earlier used as the key.
Code:
USERDOMAIN -> HMAC_MD5 KEY(b4b9b02e6f09a9bd760f388b67351e2b) -> fb659fcf061b8a92be83024db10434b1
Step 3
The server challenge (0x1122334455667788) is then concatenated with the blob (0x0101000000000000e3a17e6c2600ce0191f59c598f8c6f4d00000000020000000000000000000000) and this is fed into HMAC_MD5 with the hash just generated (fb659fcf061b8a92be83024db10434b1) used as the key.
Code:
0x11223344556677880101000000000000e3a17e6c2600ce0191f59c598f8c6f4d00000000020000000000000000000000
-> HMAC_MD5 KEY(fb659fcf061b8a92be83024db10434b1) -> d2d10fab083e422123c693587315814a
Step 4
The final result.
Code:
d2d10fab083e422123c693587315814a
Let me know if any clarification is needed.