A NTLM-Hash that cannot be carcked using the corresponding LM Hash and Toggle

[fsdafsadfsdsdaf]

Hi there,

I use https://github.com/DidierStevens/DidierS...-ntlm.rule
to use cracked LM hashes to crack the corresponding NTLM hash. This works fine for most hashes I tested, but for one hash it fails to do so. There seems to be nothing special about the password, its letters, numbers and the symbol dot (.).
What may be the reason? false-preimage seems very unlikely given 69^7 preimages for a 2^64 hash

Thanks

[Snoopy]

just guessing, the last rule is 

Code:

T0T1T2T3T4T5T6T7T8T9TATBTCTD

therefore the maximum length affected is 14 (zero to 13), that would be the maximum LM password, BUT NTLM can be longer, LM passwords are just stripped to the lenght of 14

for example, the NTLM pw is "ThisIsMyPassword", LM would be "THISISMYPASSWO" the result after cracking the LM hash with hashcat would be two outputs for the hash "THISISM" and "YPASSWO"

BUT as mentioned, this doesn't need to be the full password for NTLM, this only works when the password is shorter or even 14, you need to put these two parts together use the rules to toggle output these into a new file and run a hybrid attack with an appended mask to be able to crack the last 2 (in this case) letters