Posts: 3
Threads: 1
Joined: Dec 2022
Hi!
I'm experimentig with some old SMB test captures. I have LANMAN (LM) and NTLM hashes too, with challenge. Back in time, Cain can attack LANMAN hashes, and then attack the NTLM using the known UPPERCASE pass.
How can I do it with Hashcat?
I can use -m 5500, (NetNTLMv1 / NetNTLMv1+ESS) but just for the NTLM part. How can Hashcat recover the LM part (7 UPPER chars+1...7 UPPER chars) ?
Sample capture:
Code:
::USER:0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF:0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF:0123456789ABCDEF
I also tried other modes, like -m 3000, but no luck. Formating the capture to a Hashcat compatible way was a task too.
By the way, John can perform this attack out of the box....
Thankyou!
Posts: 620
Threads: 13
Joined: Sep 2017
12-19-2022, 03:09 PM
(This post was last modified: 12-19-2022, 03:25 PM by Snoopy.)
yeah, split the lm from the ntlm part, i think the reason why there is no such combined attack in hashcat, lm is obsolete for a very long time na dhashcat is very specialized
afterwards i would take the 7 part output and use a simple combine (combine the output with itself as the input) + rule attack (be sure there are standard rules like toggle word combined with toggle first char, as most passes will probably start with an uppercase)
i also made a simple python script which outputs every combination upper, lower, but mostly i dont need this script
you can also attack each lm on its own, this way you could see the two 7 char parts which belong to each other or you have to take a look yourself after cracking als parts
Posts: 301
Threads: 2
Joined: Dec 2015
Attacking the LM Challenge Response in NetNTLMv1 is fairly uncommon and thus not implemented in hashcat. I've recently gone back and did a PoC for this exact attack but I've not pushed it to master yet. Seeing that there are others doing this too, I guess I'll have to finish it up and add it as a separate mode.
Posts: 3
Threads: 1
Joined: Dec 2022
Wow! Thankyou for the fast replay, with good news! A LM challenge-response mode would be very nice.
I can help with testing if needed!
(12-19-2022, 06:57 PM)Chick3nman Wrote: Attacking the LM Challenge Response in NetNTLMv1 is fairly uncommon and thus not implemented in hashcat. I've recently gone back and did a PoC for this exact attack but I've not pushed it to master yet. Seeing that there are others doing this too, I guess I'll have to finish it up and add it as a separate mode.
Posts: 3
Threads: 1
Joined: Dec 2022
(12-19-2022, 06:57 PM)Chick3nman Wrote: Attacking the LM Challenge Response in NetNTLMv1 is fairly uncommon and thus not implemented in hashcat. I've recently gone back and did a PoC for this exact attack but I've not pushed it to master yet. Seeing that there are others doing this too, I guess I'll have to finish it up and add it as a separate mode.
Do You happen to have any update on this?
Posts: 301
Threads: 2
Joined: Dec 2015
(01-24-2023, 11:29 AM)jason81 Wrote: (12-19-2022, 06:57 PM)Chick3nman Wrote: Attacking the LM Challenge Response in NetNTLMv1 is fairly uncommon and thus not implemented in hashcat. I've recently gone back and did a PoC for this exact attack but I've not pushed it to master yet. Seeing that there are others doing this too, I guess I'll have to finish it up and add it as a separate mode.
Do You happen to have any update on this?
It's not currently released, apologies. I try to only release things in a relatively polished state so I've got quite the backlog of half finished stuff. This is also a little further complicated by the ESS/SSP hashes that do not contain a valid LM challenge response. I've not yet decided how to handle those hashes and if I should trust the user to know better or if I should try and parse the hash to reject them in the module parser.
