HELP/GUIDE: LM Brute Force
#1
Information 
Hello!

I am trying to recover some passwords from a Windows SBS 2003, Active Directory database, and I am unable to successfully get the clear text passwords from the LM Hashes, I have written this as a guide so that you know what I have done and we can fix it together.

I have Cygwin installed and in my PATH, also downloaded QuarksPWDump and of course oclhashcat.

I was using AMD CCC 14.2 but I downgraded to 13.2 so I could use oclhashcat. (Just used the normal CCC uninstaller, reboot, installed 13.2, reboot, all working fine)

Other bits are that I am using Windows 8.1 x64, have a AMD FX-9590 and 16gb of 2133mhz 10t memory and a AMD R9 290x. Drives layout is a 2x64GB SSD System RAID-0 and a 4x2TB WD Black Data RAID-10.

Benchmarks: (No idea why its showing as 2048MB, perhaps something to do with OverDrive?)

Code:
oclHashcat-1.01>oclHashcat64.exe -b
oclHashcat v1.01 starting in benchmark-mode...

Device #1: Hawaii, 2048MB, 1000Mhz, 44MCU

Hashtype: MD4
Workload: 1024 loops, 256 accel
Speed.GPU.#1.: 23907.3 MH/s

Hashtype: MD5
Workload: 1024 loops, 256 accel
Speed.GPU.#1.: 11991.6 MH/s

Hashtype: SHA1
Workload: 512 loops, 256 accel
Speed.GPU.#1.:  3735.3 MH/s

Hashtype: SHA256
Workload: 256 loops, 256 accel
Speed.GPU.#1.:  1532.4 MH/s

Hashtype: SHA512
Workload: 128 loops, 256 accel
Speed.GPU.#1.: 92496.5 kH/s

Hashtype: SHA-3(Keccak)
Workload: 256 loops, 256 accel
Speed.GPU.#1.:   215.7 MH/s

Hashtype: RipeMD160
Workload: 256 loops, 256 accel
Speed.GPU.#1.:  2428.8 MH/s

Hashtype: Whirlpool
Workload: 256 loops, 256 accel
Speed.GPU.#1.: 19168.8 kH/s

Hashtype: GOST R 34.11-94
Workload: 256 loops, 256 accel
Speed.GPU.#1.:   145.1 MH/s

Hashtype: SHA-1(Base64), nsldap, Netscape LDAP SHA
Workload: 512 loops, 256 accel
Speed.GPU.#1.:  3736.0 MH/s

Hashtype: SSHA-1(Base64), nsldaps, Netscape LDAP SSHA
Workload: 512 loops, 256 accel
Speed.GPU.#1.:  3701.5 MH/s
ERROR: clEnqueueNDRangeKernel() -4 // Dunno what happened here

Run command prompt as Administrator (might not be required for all), and run the following to use the commands, or just replacing %WORKDIR% with your working directory:

Code:
set WORKDIR=c:\your\working\directory

I started by copying the Active Directory Database to my Working Directory:

Code:
cp "%SystemRoot%\NTDS\ntds.dit" "%WORKDIR%\ntds.dit"

To successfully use quarkspwdump I had to fix the database (I learned after my first attempt, solution here):

Code:
esentutl /p %WORKDIR%\ntds.dit

I then needed to run QuarksPWDump against my working, and fixed, ntds.dit file and write it to a text file (--history is optional):

Code:
quarkspwdump.exe --ntds-file %WORKDIR%\ntds.dit --dump-hash-domain --history -o %WORKDIR%\ntds.txt

The output is not directly usable by oclHashcat 1.02, so I had to extract the LM hashes and split them up into blocks of 16 (thanks):

Code:
sed -rn 's/.*:.*:(.{16})(.{16}):.*/\1\r\n\2/p' %WORKDIR%\ntds.txt > %WORKDIR%\ntds_lm.txt

It is simply laid out User:UID:LM:NTLMv1::: to extract the NTLMv1 here is the sed:

Code:
sed -rn 's/.*:.*:.*:(.{32}):.*/\1/p' %WORKDIR%\ntds.txt > %WORKDIR%\ntds_ntlm1.txt

I then ran oclhashcat in brute force mode against the LM hashes, Upper-case, Digits and Symbols only:

Code:
oclHashcat64.exe -m 3000 %WORKDIR%\ntds_lm.hash -a 3 -1 ?u?d?s ?1?1?1?1?1?1?1

However the results are as follows:

Code:
Session.Name...: oclHashcat
Status.........: Running
Input.Mode.....: Mask (?1?1?1?1?1?1?1) [7]
Hash.Target....: File (ntds_lm.hash)
Hash.Type......: LM
Time.Started...: Thu Apr 24 22:40:45 2014 (3 secs)
Time.Estimated.: Fri Apr 25 00:19:39 2014 (1 hour, 38 mins)
Speed.GPU.#1...:  1346.8 MH/s
Recovered......: 0/782 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.......: 4907859968/7446353252589 (0.07%)
Rejected.......: 0/4907859968 (0.00%)

Session.Name...: oclHashcat
Status.........: Exhausted
Input.Mode.....: Mask (?1?1?1?1?1?1?1) [7]
Hash.Target....: File (ntds_lm.hash)
Hash.Type......: LM
Time.Started...: Thu Apr 24 22:40:45 2014 (1 hour, 29 mins)
Time.Estimated.: 0 secs
Speed.GPU.#1...:   100.4 MH/s
Recovered......: 0/782 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.......: 7446353252589/7446353252589 (100.00%)
Rejected.......: 0/7446353252589 (0.00%)


I did go out for a beer with my college while this was running, the final 100MH/s is probably just the spinning down, but if its not then it was perhaps because I locked my PC and the screens turned off?

I forgot to use increment so I did the following as of writing this (if you are doing this from scratch, do all 7 with increment):

Code:
oclHashcat64.exe -m 3000 F:\_users\ntds_lm.hash --increment -a 3 -1 ?u?d?s ?1?1?1?1?1?1

And the results:

Code:
Session.Name...: oclHashcat
Status.........: Running
Input.Mode.....: Mask (?1) [1]
Hash.Target....: File (ntds_lm.hash)
Hash.Type......: LM
Time.Started...: 0 secs
Time.Estimated.: 0 secs
Speed.GPU.#1...:        0 H/s
Recovered......: 0/782 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.......: 0/69 (0.00%)
Rejected.......: 0/0 (0.00%)

Session.Name...: oclHashcat
Status.........: Running
Input.Mode.....: Mask (?1?1) [2]
Hash.Target....: File (ntds_lm.hash)
Hash.Type......: LM
Time.Started...: 0 secs
Time.Estimated.: 0 secs
Speed.GPU.#1...:        0 H/s
Recovered......: 0/782 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.......: 0/4761 (0.00%)
Rejected.......: 0/0 (0.00%)

Session.Name...: oclHashcat
Status.........: Running
Input.Mode.....: Mask (?1?1?1) [3]
Hash.Target....: File (ntds_lm.hash)
Hash.Type......: LM
Time.Started...: 0 secs
Time.Estimated.: 0 secs
Speed.GPU.#1...:        0 H/s
Recovered......: 0/782 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.......: 0/328509 (0.00%)
Rejected.......: 0/0 (0.00%)

Session.Name...: oclHashcat
Status.........: Running
Input.Mode.....: Mask (?1?1?1?1) [4]
Hash.Target....: File (ntds_lm.hash)
Hash.Type......: LM
Time.Started...: 0 secs
Time.Estimated.: 0 secs
Speed.GPU.#1...:        0 H/s
Recovered......: 0/782 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.......: 0/22667121 (0.00%)
Rejected.......: 0/0 (0.00%)

Session.Name...: oclHashcat
Status.........: Running
Input.Mode.....: Mask (?1?1?1?1?1) [5]
Hash.Target....: File (ntds_lm.hash)
Hash.Type......: LM
Time.Started...: Fri Apr 25 02:09:50 2014 (1 sec)
Time.Estimated.: 0 secs
Speed.GPU.#1...:        0 H/s
Recovered......: 0/782 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.......: 0/1564031349 (0.00%)
Rejected.......: 0/0 (0.00%)

Session.Name...: oclHashcat
Status.........: Running
Input.Mode.....: Mask (?1?1?1?1?1?1) [6]
Hash.Target....: File (ntds_lm.hash)
Hash.Type......: LM
Time.Started...: Fri Apr 25 02:09:50 2014 (1 min, 21 secs)
Time.Estimated.: 0 secs
Speed.GPU.#1...:        0 H/s
Recovered......: 0/782 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.......: 0/107918163081 (0.00%)
Rejected.......: 0/0 (0.00%)

So, why are none of my hashes being matched up with anything?

Could the extracted hashes be invalid for some reason?

I did try NTLM (-m 1000) with the ntds_ntlm1.txt file, and the following rules (ntlm.hcmask) but got nothing, but I tributed that to the passwords perhaps being more complicated, which is why I kept to LM:

Code:
?u?l?l?l?l?d
?u?l?l?l?l?l?d
?u?l?l?l?l?l?l?d
?u?l?l?l?l?l?l?l?d
?u?l?l?l?l?d?d
?u?l?l?l?l?l?d?d
?u?l?l?l?l?l?l?d?d
?u?l?l?l?l?l?l?l?d?d

Any help would be much appreciated!

Many Thanks,
MadCatter
#2
Thanks for the details. As not a single hash was cracked there must be something wrong. Can you crack the LM and NTLM example hash from here: https://hashcat.net/wiki/doku.php?id=example_hashes ?
#3
hash corruption seems far more likely.
#4
Thanks for the reply =]

(04-25-2014, 10:59 AM)atom Wrote: Thanks for the details. As not a single hash was cracked there must be something wrong. Can you crack the LM and NTLM example hash from here: https://hashcat.net/wiki/doku.php?id=example_hashes ?

I added the LM hash for HASHCAT at the top of the ntds_lm.hash file and ran:

Code:
oclHashcat64.exe -m 3000 %WORKDIR%\ntds_lm.hash -a 3 -1 ?u?d?s ?1?1?1?1?1?1?1

The result I got after ~5 minutes:

Code:
[s]tatus [p]ause [r]esume [b]ypass [q]uit =>
Session.Name...: oclHashcat
Status.........: Running
Input.Mode.....: Mask (?1?1?1?1?1?1?1) [7]
Hash.Target....: File (ntds_lm.hash)
Hash.Type......: LM
Time.Started...: Fri Apr 25 10:14:13 2014 (1 min, 6 secs)
Time.Estimated.: Fri Apr 25 11:52:03 2014 (1 hour, 35 mins)
Speed.GPU.#1...:  1311.6 MH/s
Recovered......: 0/783 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.......: 85708226560/7446353252589 (1.15%)
Rejected.......: 0/85708226560 (0.00%)

[s]tatus [p]ause [r]esume [b]ypass [q]uit =>
299bd128c1101fd6:HASHCAT
[s]tatus [p]ause [r]esume [b]ypass [q]uit => Session.Name...: oclHashcat
Status.........: Running
Input.Mode.....: Mask (?1?1?1?1?1?1?1) [7]
Hash.Target....: File (ntds_lm.hash)
Hash.Type......: LM
Time.Started...: Fri Apr 25 10:14:13 2014 (4 mins, 58 secs)
Time.Estimated.: Fri Apr 25 12:18:59 2014 (1 hour, 58 mins)
Speed.GPU.#1...:    44741 H/s
Recovered......: 1/783 (0.13%) Digests, 0/1 (0.00%) Salts
Progress.......: 300325453824/7446353252589 (4.03%)
Rejected.......: 0/300325453824 (0.00%)

So, is there something wrong with my data-set? I'll try another password dump utility and try grabbing some hashes from my machine. (I just assumed the output from quarkspwdump was fine, has all the expected data)

... I don't suppose the hashes being in upper/lower case matters?
#5
(04-25-2014, 11:23 AM)epixoip Wrote: hash corruption seems far more likely.

Just saw your post after posting my response to atom, I guess I am doing something wrong extracting the hashes from the ntds.dit file.

I'm looking at ntdsxtract, just downloaded it, I'll give it a go and respond back.
#6
So I did the following to get the hashes using NTDSXtract, I ended up just using a debian virtual machine as I could not get libesedb to compile with cygwin or visual studio 2013.

I used the guide here.

However the download for libesedb is on google, be sure to use the 20120102 one. Also had to "apt-get install python python-crypto" so I could run it.

Followed the rest of that blog post, except the table commands where +1 each, datatable.4 and link_table.6:

Code:
python dsusers.py ../../ntds.dit.export/datatable.4 ../../ntds.dit.export/link_table.6 --passwordhashes ../../SYSTEM.hive --passwordhistory ../../SYSTEM.hive > hahes.txt

A few commands coming up, transferred the hashes.txt to my host, I just used Excel to do the matching:

This will give you all the LM hashes split up:
Code:
grep ::: hashes.txt | grep -v "\$NT\$" | sed -rn 's/.*\:(.{16})(.{16})\:\:\:/\1\r\n\2/p'

The same for NTLM but we include (instead of -v) the $NT$, and tweak the sed:
Code:
grep ::: hashes.txt | grep "\$NT\$" | sed -rn 's/.*\:\$NT\$(.{32})\:\:\:/\1/p'

And the LM hahes are now working ... I will work on the step-by-step guide to this and also the using the LM Clear text passwords to match against the NTLM passwords, I did consider the Table-Lookup Attack, but Toggle-Case seems to do what we want for that.

Anyways, thanks so far =]
#7
glad you were able to work through it