Trying to crack NTLMv2
#1
So I captured a NTLMv2 hash using embedded UNC from one of my Windows 7 machines using the Metasploit SMB server.

When I try to crack it using -m 1000 and a mask attack knowing the first characters I get an error saying something about the length is wrong and "skipping line"?  Can someone tell me the exact command I should be using to perform a mask attack against NTLMv2 hash?

Thank-you in advance!
#2
NTLMv2 is not -m 1000.
#3
(05-09-2016, 05:47 PM)epixoip Wrote: NTLMv2 is not -m 1000.


-m 0 ?

Thought I tried that one too...
#4
No, -m 0 is MD5. Somebody needs to do some reading.
#5
(05-09-2016, 06:41 PM)epixoip Wrote: No, -m 0 is MD5. Somebody needs to do some reading.

I need to find something to read first!  The only articles I've found regarding NTLM are using -m 0 and -m 1000 as examples.  Everything else is about cracking WPA.
#6
Articles? How about you start by reading --help. Then if you do not understand --help, read the wiki. If you need help interpreting the wiki, read the FAQ. If you're still lost, then post your question on the forums.
#7
root@The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali):~# hashcat --help | grep -i NTLM
1000 = NTLM
5500 = NetNTLMv1-VANILLA / NetNTLMv1-ESS
5600 = NetNTLMv2

root@The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali):~# hashcat -m 5500 -a 0 /root/ntlm2.txt /root/rockyou.txt
Initializing hashcat v2.00 with 4 threads and 32mb segment-size...

Skipping line: 5d11f7c6054fe34013ba650090c1fdf3 (line length exception)
Skipping line: 26057f5f47bc03a52066fd60b9e2ffd1 (line length exception)
Skipping line: e6043d86df490079c0a95e0d96428d15 (line length exception)
Skipping line: b684039d6cb4a0e7cb03ccfeefb89715 (line length exception)

root@The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali):~# hashcat -m 5600 -a 0 /root/ntlm2.txt /root/rockyou.txt
Initializing hashcat v2.00 with 4 threads and 32mb segment-size...

Skipping line: 5d11f7c6054fe34013ba650090c1fdf3 (line length exception)
Skipping line: 26057f5f47bc03a52066fd60b9e2ffd1 (line length exception)
Skipping line: e6043d86df490079c0a95e0d96428d15 (line length exception)
Skipping line: b684039d6cb4a0e7cb03ccfeefb89715 (line length exception)


No hashes loaded
#8
Maybe I am the one who should be more specific with my question here. I notice that the format is different under the NTLMv2 examples in the wiki. But this is not how it is being displayed when I run the SMB scanner. What information do I need from the SMB scanner? Is there a simple way to dump it in the correct format?
#9
I have no idea what "SMB scanner" is, I think most people use https://github.com/SpiderLabs/Responder
#10
Okay thank-you, I was using "msfconsole auxillary/server/scanner/smb" to capture the challenge but the output appears in a different format than is displayed in the wiki. I will check out Responder.