03-28-2018, 04:36 AM
(03-26-2018, 10:09 AM)undeath Wrote: It seems weird that your LM hash always looks case-sensitive. I'm not sure how exactly hashcat handles LM hashes but I would expect it to only have upper case letters.
Regarding the restore file, for wordlist attacks it depends on the word position in your dict. Since there is only one word in hashcat never reaches a point where it would create a restore file.
I believe the reason my LM hashes always look case-sensitive is because I was lazy and busy, and didn't care about the six hours it'd take to run through every combo, so I used a mask of all ?a's.
Because capitalization doesn't matter with LM hashes, PAssWOrD will encode to the same hash as PASSWORD. You can test this yourself by going to an on-line LM hash generator / encoder / whatever you want to call it.
I could have specified to try just symbols, numbers, and upper case or just lower case letters and it would have sped it up a bit and found the same password. I copied and pasted, because I was being lazy.
It was a weird issue, domain controllers store passwords differently. So Administrator account, I couldn't log in when I booted the server normally, because there was no Administrator account. It was only when I did the F8 trick and disabled the domain controller stuff that I could login as Administrator. The domain user that really was the admin was Cinder45.
This could perhaps be Microsoft's way of preventing someone from logging in as Administrator in normal mode? Having an NTLM password that never matches the LM hash? I dunno. I'd love to learn where those domain usernames and hashes are stored and how to read the hashes from them.
Regardless, I finally gained admin access to the server. A friend suggested the old trick of replacing the accessibility program with cmd.exe and hitting the shift key five times. This spawns an administrator command prompt, before the login screen, where you can use net user to view and change account passwords. I saw the Cinder45 account, remember him saying that was the account needed to login, changed the password, and access was gained, finally!