Add ntlm v1/v2 challenge respose (netntlm, netntlmv2) support to hashcat plus
Wow, that's an awesomely quick response atom.

Here goes with the description of NTLMv2, added as ticket 56.

The NTLMv2 algorithm requires a username, authentication target (i.e. domain name) which is case sensitive but usually provided in all caps, a variable 8 byte server challenge and a variable sized blob of data which includes a variable client challenge and some other data like a timestamp. This last field is referred to in the Metasploit SMB capture output as NT_CLIENT_CHALLENGE, and in other sources its referred to as a 'blob', which is what I will call it.

In the example I will use the following values:

Password: hashcat
Username: user
Domain: DOMAIN
Challenge: 0x1122334455667788
Blob: 0x0101000000000000e3a17e6c2600ce0191f59c598f8c6f4d00000000020000000000000000000000

The generation process is as follows:

Step 1

A regular NTLM hash is produced from the password (hashcat) by unicoding it and passing through MD4.

hashcat-> b4b9b02e6f09a9bd760f388b67351e2b

Step 2

The username (user) is converted to uppercase and concatenated with the domain name (DOMAIN). This string is converted to unicode and hashed using HMAC_MD5 with the NTLM hash generated earlier used as the key.

USERDOMAIN -> HMAC_MD5 KEY(b4b9b02e6f09a9bd760f388b67351e2b) -> fb659fcf061b8a92be83024db10434b1

Step 3

The server challenge (0x1122334455667788) is then concatenated with the blob (0x0101000000000000e3a17e6c2600ce0191f59c598f8c6f4d00000000020000000000000000000000) and this is fed into HMAC_MD5 with the hash just generated (fb659fcf061b8a92be83024db10434b1) used as the key.

-> HMAC_MD5 KEY(fb659fcf061b8a92be83024db10434b1) -> d2d10fab083e422123c693587315814a

Step 4

The final result.


Let me know if any clarification is needed.

Messages In This Thread
RE: Add ntlm v1/v2 challenge respose (netntlm, netntlmv2) support to hashcat plus - by vima - 02-01-2013, 05:05 AM