Cracking NTLM using LM Hashes
#1
Hello folks,

those believed dead live longer. I sometimes have the situation that I also have the LM hash for an NTLM hash. My question is how I can efficiently use a cracked LM hash to crack the corresponding NTLM. But in such a way that it works for a larger number of passwords. The current situation is that the LM hash is stored in two parts in the Potfile. This means that I cannot go here and use the plain text passwords from the pot file, for example, to convert them into an NTLM. I would have to reassemble the two parts of the LM hash and then alternate upper and lower case. Since hashcat only reads the individual parts of the LM hash, I don't know what the original LM hash was like and therefore how the two parts of the password belong together correctly.

 My current idea is to take all passwords from the potfile, combine them with all passwords from the potfile and then alternate them with upper and lower case. 

I'm sure you've already come to this point, is there a ready-made solution or does anyone have an idea?

Thank you
Reply
#2
when you still have your lm-hash input file you can use
.\hashcat.exe --show -m3000 --outfile-format=2 mode-3000-hashfile.txt
to show the combined real LM passwords

otherwise, yeah, you will need to combine the parts from the potfile, you can utilize priceprocessor or combinator-attack for this, the problem as mentioned will be switching all combinations for the letters in a word, i wrote myself an pythonscript for this, but didnt find it right now (i think there will be an answer on github or stackoverflow)

next problem you have to cope with, LM is cutting input at position 14, so when your output of combining the passes from potfile is exactly 14 , the "real" password can or could be longer than this, so when running into not cracking all hashes you will need to combine your input with a appended mask
Reply