Penetration test of MS VPN

[Adavan]

Hello.
I used this very good tool for testing security threads on solutions for our customer. About week later i try do penetration test for MS VPN (NetNTLMv2).
I setup scenario with "MIDM" and catch challenge and response for autentification with Wireshark. Now, real challenge start with right assemble this information to format acceptable by Hashcat .
I not realize this before, it seems, that i am do something wrong, but i am not able find this mistake.
So. situation is below:

I run script "crack_vpn.sh" (for easy edit and place comments for my colleagues)

Code:

./hashcat-cli64.bin -a 3 -m 5600 /home/shared/hashcat/INPUT/test_enc.txt ?d?d?d?d?d?d -o /home/shared/hashcat/OUTPUT/test_dec.txt

test_enc.txt (maybe in this format i do mistake, for security reason i not place some information)

Code:

<user_name>:<domain>:<name_of_user's_pc>:1122334455667788:2ad388f256aae4a7fa63132247f3c111:cc1d54076bd8346bb46fc7bbf546902700000000000000004647457df074a6c266586afac7eeba645ffe4037ce38205a00

I am not sure with 1122334455667788. How can i check it from Wireshark?

Hashcat result:

Code:

XXX@LinuxUbuntu hashcat$ ./crack_vpn.sh
Initializing hashcat v2.00 with 4 threads and 32mb segment-size...

Added hashes from file /home/shared/hashcat/INPUT/test_enc.txt: 1 (1 salts)
Activating quick-digest mode for single-hash with salt

[s]tatus [p]ause [r]esume [b]ypass [q]uit =>

Input.Mode: Mask (?d?d?d?d?d?d) [6]
Index.....: 0/1 (segment), 1000000 (words), 0 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: 3.40M plains, 3.40M words
Progress..: 1000000/1000000 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--


Started: Mon Mar 28 12:54:48 2016            
Stopped: Mon Mar 28 12:54:49 2016

My colleague do connect and i am sure, that he set his password for only 6 digit (1 milion possibilities). Hashcat accept format of this input file, but not calculate password .

Hash should be OK, i try do this capture in our customer and hashes looks similar.

Many thanks for any effort.

[epixoip]

I am not sure with 1122334455667788. How can i check it from Wireshark?

This is the challenge. Typically you need to control this value.

[Adavan]

I am not sure with 1122334455667788. How can i check it from Wireshark?

This is the challenge. Typically you need to control this value.

Hello.
Thank you for response.

I try change it to:

Code:

<user_name>:<domain>:<name_of_user's_pc>:2ad388f256aae4a7fa63132247f3c111:cc1d54076bd8346bb46fc7bbf546902700000000000000004647457df074a6c266586afac7eeba645ffe4037ce38205a00

hascat generate error message:

Code:

XXX@LinuxUbuntu hashcat$ ./crack_vpn.sh
Initializing hashcat v2.00 with 4 threads and 32mb segment-size...

Skipping hash: <user_name>:<domain>:<name_of_user's_pc>:2ad388f256aae4a7fa63132247f3c111:cc1d54076bd8346bb46fc7bbf546902700000000000000004647457df074a6c266586afac7eeba645ffe4037ce38205a00 (signature unmatched)

No hashes loaded

I assemble it by the key:

Code:

<user_name>:<domain>:<name_of_user's_pc>:<challenge>:<response>

I think, that some value is missing or isnt in right place, or in right format .

In this thread i found information about value "blob". What it is? Maybe stupid question, but i want teach this .

Thank you all for any effort.