NTLM and Line Length
#1
Hello,

I am a new user to hashcat-plus, but I want to get better. My question is about NTLM input. I have a large list of hashes in the following format:

sys:$NT$7f8fe03093ccxxxx67b109625f6bbf4b

I have tried a bunch of different formats but -m 1000 (NTLM) seems to be the only one that I can get to work, and the only way I can get it to work is to delete the username:$NT$. Other than that I get a line-length exception.

I saw another thread: (https://hashcat.net/forum/thread-2047.html) that explained the format, and it does not look like mine at all. I dont think I am using the right format, but I have tried everything windows related.

Does hashcat have a format that will support the username:$NT$?

jtr has a format 'nt' that works really well, but I want to put my GPUs to work.

Thanks,
Chinchilla
#2
All formats are very well documented here: http://hashcat.net/wiki/doku.php?id=example_hashes
(with examples).

Did you try those?
#3
(06-13-2013, 06:51 PM)philsmd Wrote: All formats are very well documented here: http://hashcat.net/wiki/doku.php?id=example_hashes
(with examples).

Did you try those?

Thanks for the speedy response.

In short yes, not all of them, but the ones that are related to windows credentials.

I should have been more clear with my problem. Without a username, the cracked hashes will just be a listing of passwords without anything to tie them to.

-m 1000 (NTLM) works, in so far as that it will not error out when I input my 32 character hash. But this gives me 2 problems:

1. Without a username, there will be no trace-ability.

2. The hashed password is relatively simple, 'Passphrase' and it is not cracking even though it is in my dictionary.

Thanks
#4
Once you have recovered the pass you can use --username and --show to pair them back up with the username.

As for not finding the pass, verify that your dictionary does not have extra chars on the end (like a carriage return, or some funk from windows formats). To verify that the hash is legit, you can try -a 3 Passphrase and see if it will recover.


(06-13-2013, 07:06 PM)Chinchilla Wrote:
(06-13-2013, 06:51 PM)philsmd Wrote: All formats are very well documented here: http://hashcat.net/wiki/doku.php?id=example_hashes
(with examples).

Did you try those?

Thanks for the speedy response.

In short yes, not all of them, but the ones that are related to windows credentials.

I should have been more clear with my problem. Without a username, the cracked hashes will just be a listing of passwords without anything to tie them to.

-m 1000 (NTLM) works, in so far as that it will not error out when I input my 32 character hash. But this gives me 2 problems:

1. Without a username, there will be no trace-ability.

2. The hashed password is relatively simple, 'Passphrase' and it is not cracking even though it is in my dictionary.

Thanks
#5
(06-13-2013, 07:06 PM)Chinchilla Wrote: 1. Without a username, there will be no trace-ability.

2. The hashed password is relatively simple, 'Passphrase' and it is not cracking even though it is in my dictionary.

Thanks
1. When you crack it, you get HashTongueassword. You can use the hash to "link" it back. Otherwise, you can use the --username switch like radix said.

2. Make sure that the passphrase is less than 16 characters long including spaces if present.
#6
(06-13-2013, 07:10 PM)radix Wrote: Once you have recovered the pass you can use --username and --show to pair them back up with the username.

Thanks,

I used the --username flag and did some GREP massaging and it worked on both my test 'Passphrase' and the credentials I dumped yesterday. (I am a pentester) Running like a dream right now.

I look forward to contributing to this site in the future.

Thanks again,
Chinchilla
#7
(06-13-2013, 07:19 PM)mastercracker Wrote: 1. When you crack it, you get HashTongueassword. You can use the hash to "link" it back. Otherwise, you can use the --username switch like radix said.

2. Make sure that the passphrase is less than 16 characters long including spaces if present.

I will experiment with the 'linking' when it has cracked enough passwords. Could throw these into an excel spreadsheet and do a VLOOKUP if nothing else.

Thank you for your response, and thanks for the knowledge!
#8
gief me your ntlms pl0x

(06-13-2013, 08:31 PM)Chinchilla Wrote:
(06-13-2013, 07:10 PM)radix Wrote: Once you have recovered the pass you can use --username and --show to pair them back up with the username.

Thanks,

I used the --username flag and did some GREP massaging and it worked on both my test 'Passphrase' and the credentials I dumped yesterday. (I am a pentester) Running like a dream right now.

I look forward to contributing to this site in the future.

Thanks again,
Chinchilla