Problem with NetNTLM v2 and responder
#1
Dear Hashcat community,

I have a problem which I am not certain where to ask help for (If I am in the wrong place, pleace point me in the right direction).

I have set up a windows 10 testmachine (user Admin, password Administrator).
When I connect the system to a Bash Bunny running responder, my responder catches a nice batch of NetNTLMv2 hashes.

However, when I try to crack the hashes, only a few of them can be cracked with the password Administrator (even though I am 100% certain this is the correct password).
When I try the same thing with John the ripper, exactly the same hashes get cracked.

Therefore I suspect either something is wrong with responder or Microsoft has altered the way NetNTLMv2 hashes are generated (if this is the case, the NetNTLMv2 mode needs to be updated?).
Is there anyone on this forum that has some experience with this issue?

I wanted to post my testhashes here, but I think that isn't allowed by the forum rules (if I am mistaken, please let me know and I will post them).
Reply
#2
Sometimes the guest account is enabled by default, typically the password is empty. I’ve had hashcat crack these from time to time.
Reply
#3
Thanks for the tip soxrok.
It appears the guest account was not enabled on the system.
Also the NetNTLM hashes captured include the username which is admin in every hash (both the crackable and uncrackable).
But just to be sure I also tested if I could crack the passwords with an empty password and it didn't crack them.
I am still very confused what is causing this issue.
Reply