How to make use of the DES KPA mode
Just wanted to make a quick writeup how to use the new DES KPA cracking mode.

An interessting example, I thought, would be how to retrieve the NTLM out of a captured NetNTLMv1 session. It doesn't matter if you were the server to enforce some challenge or if you sniffed it from the wire. 

Note: The way we do it here will also work for cracking MSCHAPv2 or WPA2 Enterprise.

So, basically what we're looking in NetNTLMv1 is the challenge and a 24 byte bytestream. To get them you can use metasploit or other tools, but I don't want to focus that here. For details how to get them, check out this page:

You end up in a string that looks like the following: $99$ESIzRFVmd4hye041+UcSnqUrnN7a6Gk0WGw=

First we need to decode the base64, remove the $99$ signature and do this:

root@et:~/hashcat# echo -n 'ESIzRFVmd4hye041+UcSnqUrnN7a6Gk0WGw=' | base64 -d | xxd
00000000: 1122 3344 5566 7788 727b 4e35 f947 129e  ."3DUfw.r{N5.G..
00000010: a52b 9cde dae8 6934 586c                 .+....i4Xl
  • The first 8 byte are the challenge, which will be our data part in the DES cracking later.
  • The next 16 byte are 2 of 3 DES encrypted messages. If we manage to crack both of them we can reconstruct the NTLM out of it. This is our goal and it's guaranteed, it will just take some time.
  • The next 2 byte is the decrypted message of the third DES message. So yes, this one is already cracked, which was possible because the search space is pretty small (0x10000). We don't need to crack this anymore. Note: This will be the last 2 byte of the final NTLM.
If you're interessted in a detailed analysis of this, check this page:

So we end up in the following information:
  • CT1: 727b4e35f947129e
  • CT2: a52b9cdedae86934
  • PT3: 586c
  • CHAL: 1122334455667788
Now, to hashcat. We want to crack CT1 and CT2. Luckily, both have been generate with the same plaintext message (challenge). This means that we can multihash attack them. We will crack both for the price of one. From a math perspective, the keyspace to search is 2^56, not not 2*(2^56).

To make use of hashcat's DES KPA cracking with just need two informations. The ciphertext and the plaintext. Both must be exactly 8 byte. Both need to be given in hex notation. So the hashes look like this:

root@et:~/hashcat# cat hashes.txt

And that's it basically. Now we can start hashcat with this:

root@et:~/hashcat# ./hashcat -m 14000 hashes.txt -o cracked.txt -a 3 -1 charsets/DES_full.charset --hex-charset ?1?1?1?1?1?1?1?1 -w 3

Some explanations about the commandline:
  • The -1 charsets/DES_full.charset was added to GitHub with a recent commit and I recommend to use it whenever you're cracking a full DES range
  • ?1?1?1?1?1?1?1?1 The length is always (and exact) 8 byte.
When hashcat is finished you will find the entries in cracked.txt:

root@et:~/hashcat# cat cracked.txt 

Now that we've cracked the DES key, we need to decode them back to plain data. I've written a small program "" to do that, it's part of hashcat-utils now:

root@et:~/hashcat-utils/src# perl 8923bdfdaf753f63
root@et:~/hashcat-utils/src# perl 17d741d7ddc1c36f

Now you can put the substrings together to get the final NTLM:


As a proof, that all the above worked correctly, I knew that the NTLM password was "password":

root@ht:~/hashcat-utils/src# echo -n password | iconv -f utf8 -t utf16le | openssl dgst -md4 
(stdin)= 8846f7eaee8fb117ad06bdd830b7586c

You know, once you have the NTLM hash, you can do all the funny things like PTH or generate a kerberos ticket out of it or simply crack the NTLM.

- atom
Awesome stuff! Thanks for making this happen atom. Really appreciate it.