Lets break this down:
johndoe::test-domain:1FA1B9C4ED8E570200000000000000000000000000000000:1B91B89CC1A7417DF9CFAC47CCDED2B77D01513435B36DCA:1122334455667788
http://davenport.sourceforge.net/ntlm.ht...lmResponse
--- from the above site---
The NTLM response is calculated as follows (see Appendix D for a sample Java implementation):
The MD4 message-digest algorithm (described in RFC 1320) is applied to the Unicode mixed-case password. This results in a 16-byte value - the NTLM hash.
The 16-byte NTLM hash is null-padded to 21 bytes.
This value is split into three 7-byte thirds.
These values are used to create three DES keys (one from each 7-byte third).
Each of these keys is used to DES-encrypt the challenge from the Type 2 message (resulting in three 8-byte ciphertext values).
These three ciphertext values are concatenated to form a 24-byte value. This is the NTLM response.
--- End Snippit
So 1B91B89CC1A7417DF9CFAC47CCDED2B77D01513435B36DCA is the NTLM response and 1122334455667788 is the challenge.
So
challenge: 11 22 33 44 55 66 77 88 (8 bytes)
CT1: 1B 91 B8 9C C1 A7 41 7D (8 bytes)
CT2: F9 CF AC 47 CC DE D2 B7 (8 bytes)
The final value PT3 you need to bruteforce locally using hashcat des mode 14000, the hash format will look like this:
7D01513435B36DCA:1122334455667788 the keyspace will be ?1?1? on -a charsets/DES_full.charset and should take at most a few seconds, once completed you concatenate the values and base64 encode them.
From: http://markgamache.blogspot.ca/2013/01/n...roken.html it gives a nice visual of how this works, and from chapcrack print "CloudCracker Submission = $99$%s" % base64.b64encode("%s%s%s%s" % (plaintext, c1, c2, k3[0:2])) - k3 in this instance is what I'm calling PT3.
Hopefully this clears this up a bit
johndoe::test-domain:1FA1B9C4ED8E570200000000000000000000000000000000:1B91B89CC1A7417DF9CFAC47CCDED2B77D01513435B36DCA:1122334455667788
http://davenport.sourceforge.net/ntlm.ht...lmResponse
--- from the above site---
The NTLM response is calculated as follows (see Appendix D for a sample Java implementation):
The MD4 message-digest algorithm (described in RFC 1320) is applied to the Unicode mixed-case password. This results in a 16-byte value - the NTLM hash.
The 16-byte NTLM hash is null-padded to 21 bytes.
This value is split into three 7-byte thirds.
These values are used to create three DES keys (one from each 7-byte third).
Each of these keys is used to DES-encrypt the challenge from the Type 2 message (resulting in three 8-byte ciphertext values).
These three ciphertext values are concatenated to form a 24-byte value. This is the NTLM response.
--- End Snippit
So 1B91B89CC1A7417DF9CFAC47CCDED2B77D01513435B36DCA is the NTLM response and 1122334455667788 is the challenge.
So
challenge: 11 22 33 44 55 66 77 88 (8 bytes)
CT1: 1B 91 B8 9C C1 A7 41 7D (8 bytes)
CT2: F9 CF AC 47 CC DE D2 B7 (8 bytes)
The final value PT3 you need to bruteforce locally using hashcat des mode 14000, the hash format will look like this:
7D01513435B36DCA:1122334455667788 the keyspace will be ?1?1? on -a charsets/DES_full.charset and should take at most a few seconds, once completed you concatenate the values and base64 encode them.
From: http://markgamache.blogspot.ca/2013/01/n...roken.html it gives a nice visual of how this works, and from chapcrack print "CloudCracker Submission = $99$%s" % base64.b64encode("%s%s%s%s" % (plaintext, c1, c2, k3[0:2])) - k3 in this instance is what I'm calling PT3.
Hopefully this clears this up a bit