Module 5500 - different results for same hash (with or without client challenge part)
maybe you just didn't understand the posts.

depending on the output you get from your capture tool/dump (i.e. if it is NetNTLMv1 / NetNTLMv1+ESS or NetNTLMv2), you need to use -m 5500 or -m 5600.

The perl command from can be used to convert the output of your capture tool if needed (if it uses the jtr format with $NETNTLM$).
of course you cannot just randomly modify the example hash and think it is still crackable with different data. If you change a hash, you probably make it uncrackable.

the missing part in your hash is the domain. Do you know the doman of the target ?

both -m 5500 and -m 5600 use the domain within the algorithm, it could be blank (empty string) as far as I know, but if the domain is used by the devices, you need to use it too.

The format for -m 5500 is for instance very simple, just $user::$domain:$client_challenge:$response:$server_challenge

Messages In This Thread
RE: Module 5500 - different results for same hash (short vs full format) - by philsmd - 04-18-2019, 07:27 PM