Posts: 13
Threads: 3
Joined: Aug 2024
Hi there,
I use
https://github.com/DidierStevens/DidierS...-ntlm.rule
to use cracked LM hashes to crack the corresponding NTLM hash. This works fine for most hashes I tested, but for one hash it fails to do so. There seems to be nothing special about the password, its letters, numbers and the symbol dot (.).
What may be the reason? false-preimage seems very unlikely given 69^7 preimages for a 2^64 hash
Thanks
Posts: 886
Threads: 15
Joined: Sep 2017
just guessing, the last rule isĀ
Code:
T0T1T2T3T4T5T6T7T8T9TATBTCTD
therefore the maximum length affected is 14 (zero to 13), that would be the maximum LM password, BUT NTLM can be longer, LM passwords are just stripped to the lenght of 14
for example, the NTLM pw is "ThisIsMyPassword", LM would be "THISISMYPASSWO" the result after cracking the LM hash with hashcat would be two outputs for the hash "THISISM" and "YPASSWO"
BUT as mentioned, this doesn't need to be the full password for NTLM, this only works when the password is shorter or even 14, you need to put these two parts together use the rules to toggle output these into a new file and run a hybrid attack with an appended mask to be able to crack the last 2 (in this case) letters
Posts: 13
Threads: 3
Joined: Aug 2024
Interesting idea, but isn't the NTLM hash based on the first 14 letters only if LM is still active?
update: My bad. During conversion from LM output to NTLM wordlist, an exclamation mark got lost (thank you, Batchscripting) - now ntlm and LM do match.
Posts: 886
Threads: 15
Joined: Sep 2017
(09-19-2024, 06:51 PM)fsdafsadfsdsdaf Wrote: Interesting idea, but isn't the NTLM hash based on the first 14 letters only if LM is still active?
update: My bad. During conversion from LM output to NTLM wordlist, an exclamation mark got lost (thank you, Batchscripting) - now ntlm and LM do match.
as far is i remember no, the NTLM is allways the full entered password, the LM is stripped to 14 chars
Posts: 13
Threads: 3
Joined: Aug 2024
Update: My fault! - a batch script removed the exclamation mark that was part of the original password, because I was not aware that strings with an ! need a special treatment in batch.