Sorry for reviving an old thread but I felt compelled to publish a few corrections as my original post wasn't exactly clear.
For NTLMv1-ESS, the plaintext password for the below hash is 'hashcat' and is taken from the example hashes on the hashcat wiki https://hashcat.net/wiki/doku.php?id=example_hashes
---BEGIN PYTHON DEMONSTRATOR CODE---
hash = "u4-netntlm::kNS:338d08f8e26de93300000000000000000000000000000000:9526fb8c23a90751cdd619b6cea564742e1e4bf33006ba41:cb8086049ec4736c"
hashsplit = hash.split(':')
challenge=hashsplit[5]
combined = combined=test[4]
ct1 = combined[0:16]
ct2 = combined[16:32]
f3 = hashsplit[3]
#>>> f3
#'338d08f8e26de93300000000000000000000000000000000'
#>>> challenge
#'cb8086049ec4736c'
#ct3 = combined[32:48]
#>>> ct3
#'2e1e4bf33006ba41'
print "./ct3_to_ntlm.bin " + ct3 + " " + challenge + " " + f3
#./ct3_to_ntlm.bin 2e1e4bf33006ba41 cb8086049ec4736c 338d08f8e26de93300000000000000000000000000000000
# execute the command below and the output is:
# 1e2b
import hashlib,binascii
hash = hashlib.new('md4', "hashcat".encode('utf-16le')).digest()
print binascii.hexlify(hash)
#b4b9b02e6f09a9bd760f388b67351e2b
print binascii.hexlify(hash)[28:32]
#1e2b
print ct1 + ":" + challenge
print ct2 + ":" + challenge
# run the output of the above through hashcat mode 14000 and you will get the appropriate DES keys to be converted into ntlm challenge hashes
---END DEMONSTRATOR CODE---
So for those of us who aren't coders:
1) The hash was pulled from the example hashes in NTLMv1-ESS format, this is a very common responder format
2) The hash needs to be split into chunks, all fields are delimited by :
Field 1: hostname - u4-netntlm
Field 2: blank
Field 3: username - kNS
Field 4: I honestly can't remember the technical name, I call it F3 above but its the ESS chunk you feed into atoms ct3_to_ntlm.bin after ct3 and the challenge in order to get the last 4 characters of the cracked ntlm hash - 338d08f8e26de93300000000000000000000000000000000
Field 5: ct1+ct2+ct3, first 8 bytes are ct1, second 8 are ct2, third 8 are ct3 - 9526fb8c23a90751cdd619b6cea564742e1e4bf33006ba41
Field 6: challenge
3) run ./ct3_to_ntlm.bin ct3 challenge f3 [for ess only]
./ct3_to_ntlm.bin 2e1e4bf33006ba41 cb8086049ec4736c 338d08f8e26de93300000000000000000000000000000000
1e2b
4) make a 14000.hash file formatted like this
challenge:ct1
challenge:ct2
example
cb8086049ec4736c:9526fb8c23a90751
cb8086049ec4736c:cdd619b6cea56474
5) crack with hashcat
./hashcat -m 14000 -a 3 -1 charsets/DES_full.charset --hex-charset hashes.txt ?1?1?1?1?1?1?1?1
6) if you are so inclined split it up using --keyspace and --skip and limit, although --keyspace appears broken it should be 34359738368
7) the ntlm hash of hashcat is b4b9b02e6f09a9bd760f388b67351e2b and the last 4 characters are 1e2b which equal3 what was output from step 3, once things are cracked you then use atoms tools to convert the des keys into NTLM from https://hashcat.net/forum/thread-5832.html
root@et:~/hashcat-utils/src# perl deskey_to_ntlm.pl [deskey1]
root@et:~/hashcat-utils/src# perl deskey_to_ntlm.pl [deskey2]
the final ntlm hash is b4b9b02e6f09a9bd760f388b67351e2b which is
b4b9b02e6f09a9 - deskey 1
bd760f388b6735 - deskey 2
1e2b - deskey 3 calculated from step 3
Hopefully this clears things up for NTLMv1-ESS
For NTLMv1-ESS, the plaintext password for the below hash is 'hashcat' and is taken from the example hashes on the hashcat wiki https://hashcat.net/wiki/doku.php?id=example_hashes
---BEGIN PYTHON DEMONSTRATOR CODE---
hash = "u4-netntlm::kNS:338d08f8e26de93300000000000000000000000000000000:9526fb8c23a90751cdd619b6cea564742e1e4bf33006ba41:cb8086049ec4736c"
hashsplit = hash.split(':')
challenge=hashsplit[5]
combined = combined=test[4]
ct1 = combined[0:16]
ct2 = combined[16:32]
f3 = hashsplit[3]
#>>> f3
#'338d08f8e26de93300000000000000000000000000000000'
#>>> challenge
#'cb8086049ec4736c'
#ct3 = combined[32:48]
#>>> ct3
#'2e1e4bf33006ba41'
print "./ct3_to_ntlm.bin " + ct3 + " " + challenge + " " + f3
#./ct3_to_ntlm.bin 2e1e4bf33006ba41 cb8086049ec4736c 338d08f8e26de93300000000000000000000000000000000
# execute the command below and the output is:
# 1e2b
import hashlib,binascii
hash = hashlib.new('md4', "hashcat".encode('utf-16le')).digest()
print binascii.hexlify(hash)
#b4b9b02e6f09a9bd760f388b67351e2b
print binascii.hexlify(hash)[28:32]
#1e2b
print ct1 + ":" + challenge
print ct2 + ":" + challenge
# run the output of the above through hashcat mode 14000 and you will get the appropriate DES keys to be converted into ntlm challenge hashes
---END DEMONSTRATOR CODE---
So for those of us who aren't coders:
1) The hash was pulled from the example hashes in NTLMv1-ESS format, this is a very common responder format
2) The hash needs to be split into chunks, all fields are delimited by :
Field 1: hostname - u4-netntlm
Field 2: blank
Field 3: username - kNS
Field 4: I honestly can't remember the technical name, I call it F3 above but its the ESS chunk you feed into atoms ct3_to_ntlm.bin after ct3 and the challenge in order to get the last 4 characters of the cracked ntlm hash - 338d08f8e26de93300000000000000000000000000000000
Field 5: ct1+ct2+ct3, first 8 bytes are ct1, second 8 are ct2, third 8 are ct3 - 9526fb8c23a90751cdd619b6cea564742e1e4bf33006ba41
Field 6: challenge
3) run ./ct3_to_ntlm.bin ct3 challenge f3 [for ess only]
./ct3_to_ntlm.bin 2e1e4bf33006ba41 cb8086049ec4736c 338d08f8e26de93300000000000000000000000000000000
1e2b
4) make a 14000.hash file formatted like this
challenge:ct1
challenge:ct2
example
cb8086049ec4736c:9526fb8c23a90751
cb8086049ec4736c:cdd619b6cea56474
5) crack with hashcat
./hashcat -m 14000 -a 3 -1 charsets/DES_full.charset --hex-charset hashes.txt ?1?1?1?1?1?1?1?1
6) if you are so inclined split it up using --keyspace and --skip and limit, although --keyspace appears broken it should be 34359738368
7) the ntlm hash of hashcat is b4b9b02e6f09a9bd760f388b67351e2b and the last 4 characters are 1e2b which equal3 what was output from step 3, once things are cracked you then use atoms tools to convert the des keys into NTLM from https://hashcat.net/forum/thread-5832.html
root@et:~/hashcat-utils/src# perl deskey_to_ntlm.pl [deskey1]
root@et:~/hashcat-utils/src# perl deskey_to_ntlm.pl [deskey2]
the final ntlm hash is b4b9b02e6f09a9bd760f388b67351e2b which is
b4b9b02e6f09a9 - deskey 1
bd760f388b6735 - deskey 2
1e2b - deskey 3 calculated from step 3
Hopefully this clears things up for NTLMv1-ESS