HELP/GUIDE: LM Brute Force

[madcatter]

So I did the following to get the hashes using NTDSXtract, I ended up just using a debian virtual machine as I could not get libesedb to compile with cygwin or visual studio 2013.

I used the guide here.

However the download for libesedb is on google, be sure to use the 20120102 one. Also had to "apt-get install python python-crypto" so I could run it.

Followed the rest of that blog post, except the table commands where +1 each, datatable.4 and link_table.6:

Code:

python dsusers.py ../../ntds.dit.export/datatable.4 ../../ntds.dit.export/link_table.6 --passwordhashes ../../SYSTEM.hive --passwordhistory ../../SYSTEM.hive > hahes.txt

A few commands coming up, transferred the hashes.txt to my host, I just used Excel to do the matching:

This will give you all the LM hashes split up:

Code:

grep ::: hashes.txt | grep -v "\$NT\$" | sed -rn 's/.*\:(.{16})(.{16})\:\:\:/\1\r\n\2/p'

The same for NTLM but we include (instead of -v) the $NT$, and tweak the sed:

Code:

grep ::: hashes.txt | grep "\$NT\$" | sed -rn 's/.*\:\$NT\$(.{32})\:\:\:/\1/p'

And the LM hahes are now working ... I will work on the step-by-step guide to this and also the using the LM Clear text passwords to match against the NTLM passwords, I did consider the Table-Lookup Attack, but Toggle-Case seems to do what we want for that.

Anyways, thanks so far =]