MSCHAPv2 and NTLMv1
#1
Hi all,
this is my first post, i hope the question could be interesting just as much for me as it is for you and that it's not too dumb.

I get to the point:

implementing an evil-twin attack, in a wpa2-enterprise network, in which my notebook is the authenticator and the authentication server (the AP and the radius server) and where the MSCHAPv2 protocol is used as inner authentication method, I can retrieve an NTLMv1 Hash, an MD4, as suggested in these posts, and as the example picture shows:

https://hashcat.net/forum/thread-2563.html
https://hashcat.net/forum/thread-5052.html

[Image: 6gxgC.jpg]

(i'm using hostapd-wpe in a TESTING environment)


But, reading the details about the MSCHAPv2 protocol, I cannot explain me how it's possible that I can retrieve this (NTLM) hash; especially, if the protocol uses the NTLM hash, just as a key, to encrypt the challenge hash and do not explicitly send it, to the radius server.

From RFC 2759 - "Microsoft PPP CHAP Extensions, Version 2"  I found:

Quote:Response Packet

The MS-CHAP-V2 Response packet is identical in format to the standard CHAP Response packet.  However, the Value field is sub-formatted differently as follows:

   16 octets: Peer-Challenge
    8 octets: Reserved, must be zero
   24 octets: NT-Response
    1 octet : Flags

The NT-Response field is an encoded function of the password, the user name, the contents of the Peer-Challenge field and the received challenge as output by the routine GenerateNTResponse()

Quote:8.1.  GenerateNTResponse()

   GenerateNTResponse(
   IN  16-octet              AuthenticatorChallenge,
   IN  16-octet              PeerChallenge,
   IN  0-to-256-char         UserName,
   IN  0-to-256-unicode-char Password,
   OUT 24-octet              Response )
   {
      8-octet  Challenge
      16-octet PasswordHash

      ChallengeHash( PeerChallenge, AuthenticatorChallenge, UserName,
                     giving Challenge)

      NtPasswordHash( Password, giving PasswordHash )
      ChallengeResponse( Challenge, PasswordHash, giving Response )
   }

Quote:8.5. ChallengeResponse(
   IN  8-octet  Challenge,
   IN  16-octet PasswordHash,
   OUT 24-octet Response )
   {
      Set ZPasswordHash to PasswordHash zero-padded to 21 octets

      DesEncrypt( Challenge,
                  1st 7-octets of ZPasswordHash,
                  giving 1st 8-octets of Response )

      DesEncrypt( Challenge,
                  2nd 7-octets of ZPasswordHash,
                  giving 2nd 8-octets of Response )

      DesEncrypt( Challenge,
                  3rd 7-octets of ZPasswordHash,
                  giving 3rd 8-octets of Response )
   }

How it's possible that i can retrieve the PasswordHash, instead of trying to obatin it trough the des-encrypted string?



Thank you for all your help
Reply
#2
if you look at the 5500 (netntlmv1) kernel you can see that it does involve DES encryption: https://github.com/hashcat/hashcat/blob/...5500_a0.cl

however, here is a post about recovering the ntlm hash from the netntlmv1 hash: https://hashcat.net/forum/thread-5912.html
Reply
#3
(04-11-2018, 10:46 PM)undeath Wrote: however, here is a post about recovering the ntlm hash from the netntlmv1 hash: https://hashcat.net/forum/thread-5912.html

Ok now it's more clear  Smile thanks a lot Smile

In particular I would point out the link reported from the author of the post, that definitively solved my doubts: http://markgamache.blogspot.ca/2013/01/n...roken.html
Reply