LM & NTLMv1 + challenge
#1
Hi!
I'm experimentig with some old SMB test captures. I have LANMAN (LM) and NTLM hashes too, with challenge. Back in time, Cain can attack LANMAN hashes, and then attack the NTLM using the known UPPERCASE pass. 

How can I do it with Hashcat?

I can use -m 5500, (NetNTLMv1 / NetNTLMv1+ESS) but just for the NTLM part. How can Hashcat recover the LM part (7 UPPER chars+1...7 UPPER chars) ?

Sample capture:
Code:
::USER:0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF:0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF:0123456789ABCDEF

I also tried other modes, like -m 3000, but no luck. Formating the capture to a Hashcat compatible way was a task too.
By the way, John can perform this attack out of the box....

Thankyou!
Reply
#2
yeah, split the lm from the ntlm part, i think the reason why there is no such combined attack in hashcat, lm is obsolete for a very long time na dhashcat is very specialized

afterwards i would take the 7 part output and use a simple combine (combine the output with itself as the input) + rule attack (be sure there are standard rules like toggle word combined with toggle first char, as most passes will probably start with an uppercase)

i also made a simple python script which outputs every combination upper, lower, but mostly i dont need this script

you can also attack each lm on its own, this way you could see the two 7 char parts which belong to each other or you have to take a look yourself after cracking als parts
Reply
#3
Attacking the LM Challenge Response in NetNTLMv1 is fairly uncommon and thus not implemented in hashcat. I've recently gone back and did a PoC for this exact attack but I've not pushed it to master yet. Seeing that there are others doing this too, I guess I'll have to finish it up and add it as a separate mode.
Reply
#4
Wow! Thankyou for the fast replay, with good news! A LM challenge-response mode would be very nice.
I can help with testing if needed!
 
(12-19-2022, 06:57 PM)Chick3nman Wrote: Attacking the LM Challenge Response in NetNTLMv1 is fairly uncommon and thus not implemented in hashcat. I've recently gone back and did a PoC for this exact attack but I've not pushed it to master yet. Seeing that there are others doing this too, I guess I'll have to finish it up and add it as a separate mode.
Reply
#5
(12-19-2022, 06:57 PM)Chick3nman Wrote: Attacking the LM Challenge Response in NetNTLMv1 is fairly uncommon and thus not implemented in hashcat. I've recently gone back and did a PoC for this exact attack but I've not pushed it to master yet. Seeing that there are others doing this too, I guess I'll have to finish it up and add it as a separate mode.

Do You happen to have any update on this? Smile
Reply
#6
(01-24-2023, 11:29 AM)jason81 Wrote:
(12-19-2022, 06:57 PM)Chick3nman Wrote: Attacking the LM Challenge Response in NetNTLMv1 is fairly uncommon and thus not implemented in hashcat. I've recently gone back and did a PoC for this exact attack but I've not pushed it to master yet. Seeing that there are others doing this too, I guess I'll have to finish it up and add it as a separate mode.

Do You happen to have any update on this? Smile

It's not currently released, apologies. I try to only release things in a relatively polished state so I've got quite the backlog of half finished stuff. This is also a little further complicated by the ESS/SSP hashes that do not contain a valid LM challenge response. I've not yet decided how to handle those hashes and if I should trust the user to know better or if I should try and parse the hash to reject them in the module parser.
Reply