NTLM Issues [Solved]
#1
I seem to be having an issue with cracking some of my NTLM hashes.

Currently I have dumped a 2008R2 SAM using VSS in combination with QwarksPWDump util to get it into a txt file.

They appear like this example:
PHP Code:
user:4265:AA############################EE:18####################F1D2A5CB06::: 

I have removed:
PHP Code:
user:salt_idk?:AA############################EE: 

Leaving me with what I think is the NTLM:
PHP Code:
18####################F1D2A5CB06 

I use the following command:
Code:
cudaHashcat64.exe -m 1000 -o recovered.txt hashes.txt wordlist.txt

I am unable to crack any of the passwords even though I have set my own password in AD manually and placed it in the wordlist.txt I did add in the example hashcat NTLM and it was able to retrieve it fine. I dont get any errors either about line length.

My impression is that the export is suspect. Any ideas?
#2
It was my own fault for not reading the documentation on QwarksPWDump

http://blog.quarkslab.com/quarks-pwdump.html

"For example, it's not possible to parse Win 2008 NTDS.dit file from XP. In fact, record's checksum are computed in a different manner and database files appear corrupted for API functions."

I just dumped the hashes on using the utility on Windows 7 not on the DC itself, running the same application against the same hash files over Win7, server 2008R2 , and Server 2012R2 gave all different hashes.