Creating NetNTLMv2 hashes

[pragmatic]

It took me a while to find/figure this out recently so I thought I'd post it here in case it helped anyone else. If nothing else I'll probably forget the details in a couple weeks and I can just use it to remind myself.

NetNTLMv2 hash format (-m 5600) appears to have been introduced in a hashcat-0.43 beta and was originally aligned with JtR as follows:

$NETNTLMv2$USERDOMAIN$1122334455667788$d2d10fab083e422123c693587315814a$0101000000000000e3a17e6c2600ce0191f59c598f8c6f4d00000000020000000000000000000000

By the time 0.43 was officially released this had been changed to its current format, which is aligned with l0phtcrack:

test::LAB:1122334455667788:3b482ca7d786401abd40c4bce7f1c283:0101000000000000ebfbd8bf8d24ce01a31384a499a4935800000000020000000000000000000000

The format of this layout is:

Username:omain:Challenge:NTLMv2hash(aka HMAC-MD5):blob(entire NTLMv2 response except the HMAC that was in the preceding field)

If you're using Cain to capture/process these negotiations, there is no export functionality so you'll need to take them directly from the NTLMv2.LST file which is located here:

%PROGRAMFILES%\Cain\NTLMv2.LST

To put them in the lc/hashcat format, you can use:

awk -v OFS=":" -F "\t" '{print($1,"",$2,$5,$4,$6)}' NTLMv2.LST > ntlmv2.hashes

Hope someone finds this useful.