Creating NetNTLMv2 hashes
It took me a while to find/figure this out recently so I thought I'd post it here in case it helped anyone else. If nothing else I'll probably forget the details in a couple weeks and I can just use it to remind myself. Smile

NetNTLMv2 hash format (-m 5600) appears to have been introduced in a hashcat-0.43 beta and was originally aligned with JtR as follows:


By the time 0.43 was officially released this had been changed to its current format, which is aligned with l0phtcrack:


The format of this layout is:

Username:Big Grinomain:Challenge:NTLMv2hash(aka HMAC-MD5):blob(entire NTLMv2 response except the HMAC that was in the preceding field)

If you're using Cain to capture/process these negotiations, there is no export functionality so you'll need to take them directly from the NTLMv2.LST file which is located here:


To put them in the lc/hashcat format, you can use:

awk -v OFS=":" -F "\t" '{print($1,"",$2,$5,$4,$6)}' NTLMv2.LST > ntlmv2.hashes

Hope someone finds this useful.

Messages In This Thread
Creating NetNTLMv2 hashes - by pragmatic - 12-23-2013, 08:08 PM
RE: Creating NetNTLMv2 hashes - by pragmatic - 12-23-2013, 08:16 PM