HELP/GUIDE: LM Brute Force
#1
Information 
Hello!

I am trying to recover some passwords from a Windows SBS 2003, Active Directory database, and I am unable to successfully get the clear text passwords from the LM Hashes, I have written this as a guide so that you know what I have done and we can fix it together.

I have Cygwin installed and in my PATH, also downloaded QuarksPWDump and of course oclhashcat.

I was using AMD CCC 14.2 but I downgraded to 13.2 so I could use oclhashcat. (Just used the normal CCC uninstaller, reboot, installed 13.2, reboot, all working fine)

Other bits are that I am using Windows 8.1 x64, have a AMD FX-9590 and 16gb of 2133mhz 10t memory and a AMD R9 290x. Drives layout is a 2x64GB SSD System RAID-0 and a 4x2TB WD Black Data RAID-10.

Benchmarks: (No idea why its showing as 2048MB, perhaps something to do with OverDrive?)

Code:
oclHashcat-1.01>oclHashcat64.exe -b
oclHashcat v1.01 starting in benchmark-mode...

Device #1: Hawaii, 2048MB, 1000Mhz, 44MCU

Hashtype: MD4
Workload: 1024 loops, 256 accel
Speed.GPU.#1.: 23907.3 MH/s

Hashtype: MD5
Workload: 1024 loops, 256 accel
Speed.GPU.#1.: 11991.6 MH/s

Hashtype: SHA1
Workload: 512 loops, 256 accel
Speed.GPU.#1.:  3735.3 MH/s

Hashtype: SHA256
Workload: 256 loops, 256 accel
Speed.GPU.#1.:  1532.4 MH/s

Hashtype: SHA512
Workload: 128 loops, 256 accel
Speed.GPU.#1.: 92496.5 kH/s

Hashtype: SHA-3(Keccak)
Workload: 256 loops, 256 accel
Speed.GPU.#1.:   215.7 MH/s

Hashtype: RipeMD160
Workload: 256 loops, 256 accel
Speed.GPU.#1.:  2428.8 MH/s

Hashtype: Whirlpool
Workload: 256 loops, 256 accel
Speed.GPU.#1.: 19168.8 kH/s

Hashtype: GOST R 34.11-94
Workload: 256 loops, 256 accel
Speed.GPU.#1.:   145.1 MH/s

Hashtype: SHA-1(Base64), nsldap, Netscape LDAP SHA
Workload: 512 loops, 256 accel
Speed.GPU.#1.:  3736.0 MH/s

Hashtype: SSHA-1(Base64), nsldaps, Netscape LDAP SSHA
Workload: 512 loops, 256 accel
Speed.GPU.#1.:  3701.5 MH/s
ERROR: clEnqueueNDRangeKernel() -4 // Dunno what happened here

Run command prompt as Administrator (might not be required for all), and run the following to use the commands, or just replacing %WORKDIR% with your working directory:

Code:
set WORKDIR=c:\your\working\directory

I started by copying the Active Directory Database to my Working Directory:

Code:
cp "%SystemRoot%\NTDS\ntds.dit" "%WORKDIR%\ntds.dit"

To successfully use quarkspwdump I had to fix the database (I learned after my first attempt, solution here):

Code:
esentutl /p %WORKDIR%\ntds.dit

I then needed to run QuarksPWDump against my working, and fixed, ntds.dit file and write it to a text file (--history is optional):

Code:
quarkspwdump.exe --ntds-file %WORKDIR%\ntds.dit --dump-hash-domain --history -o %WORKDIR%\ntds.txt

The output is not directly usable by oclHashcat 1.02, so I had to extract the LM hashes and split them up into blocks of 16 (thanks):

Code:
sed -rn 's/.*:.*:(.{16})(.{16}):.*/\1\r\n\2/p' %WORKDIR%\ntds.txt > %WORKDIR%\ntds_lm.txt

It is simply laid out User:UID:LM:NTLMv1::: to extract the NTLMv1 here is the sed:

Code:
sed -rn 's/.*:.*:.*:(.{32}):.*/\1/p' %WORKDIR%\ntds.txt > %WORKDIR%\ntds_ntlm1.txt

I then ran oclhashcat in brute force mode against the LM hashes, Upper-case, Digits and Symbols only:

Code:
oclHashcat64.exe -m 3000 %WORKDIR%\ntds_lm.hash -a 3 -1 ?u?d?s ?1?1?1?1?1?1?1

However the results are as follows:

Code:
Session.Name...: oclHashcat
Status.........: Running
Input.Mode.....: Mask (?1?1?1?1?1?1?1) [7]
Hash.Target....: File (ntds_lm.hash)
Hash.Type......: LM
Time.Started...: Thu Apr 24 22:40:45 2014 (3 secs)
Time.Estimated.: Fri Apr 25 00:19:39 2014 (1 hour, 38 mins)
Speed.GPU.#1...:  1346.8 MH/s
Recovered......: 0/782 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.......: 4907859968/7446353252589 (0.07%)
Rejected.......: 0/4907859968 (0.00%)

Session.Name...: oclHashcat
Status.........: Exhausted
Input.Mode.....: Mask (?1?1?1?1?1?1?1) [7]
Hash.Target....: File (ntds_lm.hash)
Hash.Type......: LM
Time.Started...: Thu Apr 24 22:40:45 2014 (1 hour, 29 mins)
Time.Estimated.: 0 secs
Speed.GPU.#1...:   100.4 MH/s
Recovered......: 0/782 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.......: 7446353252589/7446353252589 (100.00%)
Rejected.......: 0/7446353252589 (0.00%)


I did go out for a beer with my college while this was running, the final 100MH/s is probably just the spinning down, but if its not then it was perhaps because I locked my PC and the screens turned off?

I forgot to use increment so I did the following as of writing this (if you are doing this from scratch, do all 7 with increment):

Code:
oclHashcat64.exe -m 3000 F:\_users\ntds_lm.hash --increment -a 3 -1 ?u?d?s ?1?1?1?1?1?1

And the results:

Code:
Session.Name...: oclHashcat
Status.........: Running
Input.Mode.....: Mask (?1) [1]
Hash.Target....: File (ntds_lm.hash)
Hash.Type......: LM
Time.Started...: 0 secs
Time.Estimated.: 0 secs
Speed.GPU.#1...:        0 H/s
Recovered......: 0/782 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.......: 0/69 (0.00%)
Rejected.......: 0/0 (0.00%)

Session.Name...: oclHashcat
Status.........: Running
Input.Mode.....: Mask (?1?1) [2]
Hash.Target....: File (ntds_lm.hash)
Hash.Type......: LM
Time.Started...: 0 secs
Time.Estimated.: 0 secs
Speed.GPU.#1...:        0 H/s
Recovered......: 0/782 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.......: 0/4761 (0.00%)
Rejected.......: 0/0 (0.00%)

Session.Name...: oclHashcat
Status.........: Running
Input.Mode.....: Mask (?1?1?1) [3]
Hash.Target....: File (ntds_lm.hash)
Hash.Type......: LM
Time.Started...: 0 secs
Time.Estimated.: 0 secs
Speed.GPU.#1...:        0 H/s
Recovered......: 0/782 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.......: 0/328509 (0.00%)
Rejected.......: 0/0 (0.00%)

Session.Name...: oclHashcat
Status.........: Running
Input.Mode.....: Mask (?1?1?1?1) [4]
Hash.Target....: File (ntds_lm.hash)
Hash.Type......: LM
Time.Started...: 0 secs
Time.Estimated.: 0 secs
Speed.GPU.#1...:        0 H/s
Recovered......: 0/782 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.......: 0/22667121 (0.00%)
Rejected.......: 0/0 (0.00%)

Session.Name...: oclHashcat
Status.........: Running
Input.Mode.....: Mask (?1?1?1?1?1) [5]
Hash.Target....: File (ntds_lm.hash)
Hash.Type......: LM
Time.Started...: Fri Apr 25 02:09:50 2014 (1 sec)
Time.Estimated.: 0 secs
Speed.GPU.#1...:        0 H/s
Recovered......: 0/782 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.......: 0/1564031349 (0.00%)
Rejected.......: 0/0 (0.00%)

Session.Name...: oclHashcat
Status.........: Running
Input.Mode.....: Mask (?1?1?1?1?1?1) [6]
Hash.Target....: File (ntds_lm.hash)
Hash.Type......: LM
Time.Started...: Fri Apr 25 02:09:50 2014 (1 min, 21 secs)
Time.Estimated.: 0 secs
Speed.GPU.#1...:        0 H/s
Recovered......: 0/782 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.......: 0/107918163081 (0.00%)
Rejected.......: 0/0 (0.00%)

So, why are none of my hashes being matched up with anything?

Could the extracted hashes be invalid for some reason?

I did try NTLM (-m 1000) with the ntds_ntlm1.txt file, and the following rules (ntlm.hcmask) but got nothing, but I tributed that to the passwords perhaps being more complicated, which is why I kept to LM:

Code:
?u?l?l?l?l?d
?u?l?l?l?l?l?d
?u?l?l?l?l?l?l?d
?u?l?l?l?l?l?l?l?d
?u?l?l?l?l?d?d
?u?l?l?l?l?l?d?d
?u?l?l?l?l?l?l?d?d
?u?l?l?l?l?l?l?l?d?d

Any help would be much appreciated!

Many Thanks,
MadCatter


Messages In This Thread
HELP/GUIDE: LM Brute Force - by madcatter - 04-25-2014, 03:29 AM
RE: HELP/GUIDE: LM Brute Force - by atom - 04-25-2014, 10:59 AM
RE: HELP/GUIDE: LM Brute Force - by madcatter - 04-25-2014, 11:36 AM
RE: HELP/GUIDE: LM Brute Force - by epixoip - 04-25-2014, 11:23 AM
RE: HELP/GUIDE: LM Brute Force - by madcatter - 04-25-2014, 11:44 AM
RE: HELP/GUIDE: LM Brute Force - by madcatter - 04-25-2014, 06:59 PM
RE: HELP/GUIDE: LM Brute Force - by epixoip - 04-26-2014, 12:47 AM