LM Hashes

[slawson]

Awesome. Thanks.

[evilmog]

Assuming your ntds dump is ntds.dit you need to do the following (don't do it from a mac, it just doesn't work)

1) Create a list of just lanman

Code:

cut -d: -f3 < ntds.dit | sort -u > ntds.lm

2) Create a list of just ntlm and remove invalid hashes (aad3b435b51404eeaad3b435b51404ee)

Code:

cut -d: -f4 < ntds.dit | grep -v aad3b435b51404eeaad3b435b51404ee | sort -u > ntds.ntlm

3) run hashcat in mode 3000 on increment mode for ?a (this will not cover all accented and international characters, adjust if needed)

Code:

./hashcat -m 3000 ntds.lm -i -a 3 -w 3 ?a?a?a?a?a?a?a

4) create a new candidate file

Code:

./hashcat -m 3000 ntds.lm --show | cut -d: -f2- > cand.lst

5) download the toggles rules from https://blog.didierstevens.com/2016/07/1...gle-rules/
Direct download link: http://didierstevens.com/files/software/...v0_0_1.zip

6) run hashcat with your candidate file and the rule file in that zip

Code:

./hashcat -m 1000 ntds.ntlm -w 3 -O -a 0 cand.lst -r toggles-lm-ntlm.rule

7) show the results

Code:

./hashcat -m 1000 ntds.dit --username --show