LM Hashes
#12
Assuming your ntds dump is ntds.dit you need to do the following (don't do it from a mac, it just doesn't work)

1) Create a list of just lanman
Code:
cut -d: -f3 < ntds.dit | sort -u > ntds.lm

2) Create a list of just ntlm and remove invalid hashes (aad3b435b51404eeaad3b435b51404ee)
Code:
cut -d: -f4 < ntds.dit | grep -v aad3b435b51404eeaad3b435b51404ee | sort -u > ntds.ntlm

3) run hashcat in mode 3000 on increment mode for ?a (this will not cover all accented and international characters, adjust if needed)

Code:
./hashcat -m 3000 ntds.lm -i -a 3 -w 3 ?a?a?a?a?a?a?a

4) create a new candidate file
Code:
./hashcat -m 3000 ntds.lm --show | cut -d: -f2- > cand.lst

5) download the toggles rules from https://blog.didierstevens.com/2016/07/1...gle-rules/
Direct download link: http://didierstevens.com/files/software/...v0_0_1.zip

6) run hashcat with your candidate file and the rule file in that zip
Code:
./hashcat -m 1000 ntds.ntlm -w 3 -O -a 0 cand.lst -r toggles-lm-ntlm.rule

7) show the results
Code:
./hashcat -m 1000 ntds.dit --username --show
Reply


Messages In This Thread
LM Hashes - by slawson - 08-21-2019, 03:06 PM
RE: LM Hashes - by Mem5 - 08-21-2019, 05:33 PM
RE: LM Hashes - by atom - 08-22-2019, 11:16 AM
RE: LM Hashes - by slawson - 08-26-2019, 03:38 PM
RE: LM Hashes - by undeath - 08-26-2019, 04:01 PM
RE: LM Hashes - by slawson - 08-26-2019, 10:52 PM
RE: LM Hashes - by DanielG - 08-27-2019, 08:38 AM
RE: LM Hashes - by undeath - 08-27-2019, 10:14 AM
RE: LM Hashes - by slawson - 08-27-2019, 04:19 PM
RE: LM Hashes - by undeath - 08-27-2019, 04:23 PM
RE: LM Hashes - by slawson - 08-27-2019, 04:34 PM
RE: LM Hashes - by evilmog - 08-28-2019, 10:40 PM